Loading ...

Play interactive tourEdit tour

Analysis Report TGSKU7q5IQ.exe

Overview

General Information

Sample Name:TGSKU7q5IQ.exe
MD5:33f9abb5fcb1ee4a1a3e001d059225b8
SHA1:5f207875c1ca0963f8cb0a0f2c8558fc37fa27a4
SHA256:1dd89cec8476c901750387a54eb0cce63addcb6037d96de9a78fd736531f9390

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TGSKU7q5IQ.exe (PID: 2952 cmdline: 'C:\Users\user\Desktop\TGSKU7q5IQ.exe' MD5: 33F9ABB5FCB1EE4A1A3E001D059225B8)
    • explorer.exe (PID: 2880 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
      • wscript.exe (PID: 1176 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • cmd.exe (PID: 1432 cmdline: /c del 'C:\Users\user\Desktop\TGSKU7q5IQ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • ulhdmvehff-42.exe (PID: 2988 cmdline: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exe MD5: 33F9ABB5FCB1EE4A1A3E001D059225B8)
      • ulhdmvehff-42.exe (PID: 3620 cmdline: 'C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exe' MD5: 33F9ABB5FCB1EE4A1A3E001D059225B8)
      • colorcpl.exe (PID: 476 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
      • control.exe (PID: 4432 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.946677472.0000000005AF0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.946677472.0000000005AF0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.946677472.0000000005AF0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.600001330.0000000005B80000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.600001330.0000000005B80000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18429:$sqlite3step: 68 34 1C 7B E1
      • 0x1853c:$sqlite3step: 68 34 1C 7B E1
      • 0x18458:$sqlite3text: 68 38 2A 90 C5
      • 0x1857d:$sqlite3text: 68 38 2A 90 C5
      • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 43 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.TGSKU7q5IQ.exe.5940000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.TGSKU7q5IQ.exe.5940000.4.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        0.2.TGSKU7q5IQ.exe.5940000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        13.2.ulhdmvehff-42.exe.5af0000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          13.2.ulhdmvehff-42.exe.5af0000.4.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17629:$sqlite3step: 68 34 1C 7B E1
          • 0x1773c:$sqlite3step: 68 34 1C 7B E1
          • 0x17658:$sqlite3text: 68 38 2A 90 C5
          • 0x1777d:$sqlite3text: 68 38 2A 90 C5
          • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: TGSKU7q5IQ.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Uxxdph\ulhdmvehff-42.exeAvira: detection malicious, Label: HEUR/AGEN.1043114
          Multi AV Scanner detection for domain / URLShow sources
          Source: http://www.porcber.comVirustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Uxxdph\ulhdmvehff-42.exeVirustotal: Detection: 21%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Uxxdph\ulhdmvehff-42.exeReversingLabs: Detection: 18%
          Multi AV Scanner detection for submitted fileShow sources
          Source: TGSKU7q5IQ.exeVirustotal: Detection: 21%Perma Link
          Source: TGSKU7q5IQ.exeReversingLabs: Detection: 18%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.946677472.0000000005AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.600001330.0000000005B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.951930736.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.600153081.0000000005BB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.960900832.0000000005470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.946959841.0000000005C30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.949904089.0000000003DDA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.596232022.000000000435A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.962183193.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.948565462.0000000000C40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.941661387.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.942884986.000000000457A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.947804600.0000000005EF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.599624971.0000000005940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.959773483.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.927950082.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TGSKU7q5IQ.exe.5940000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.ulhdmvehff-42.exe.5af0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.ulhdmvehff-42.exe.51f0000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.ulhdmvehff-42.exe.5af0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TGSKU7q5IQ.exe.5940000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.ulhdmvehff-42.exe.51f0000.5.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Uxxdph\ulhdmvehff-42.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: TGSKU7q5IQ.exeJoe Sandbox ML: detected
          Source: 13.2.ulhdmvehff-42.exe.5af0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.TGSKU7q5IQ.exe.5940000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.2.ulhdmvehff-42.exe.51f0000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 4x nop then pop edi14_2_05207D66

          Source: global trafficHTTP traffic detected: GET /mq3/?qrT4Hh_h=0f2vG8QIIcp679PRBI7K0tkkchJ4zDLe5btvcDqwkOaC6818yn4cikTFuAqeQAwmBAAY&mVKX26=MZr0cf7xmpQXmrEp HTTP/1.1Host: www.searchmakeup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.20.239.12 23.20.239.12
          Source: C:\Windows\explorer.exeCode function: 2_2_04B5F5A2 getaddrinfo,setsockopt,recv,2_2_04B5F5A2
          Source: global trafficHTTP traffic detected: GET /mq3/?qrT4Hh_h=0f2vG8QIIcp679PRBI7K0tkkchJ4zDLe5btvcDqwkOaC6818yn4cikTFuAqeQAwmBAAY&mVKX26=MZr0cf7xmpQXmrEp HTTP/1.1Host: www.searchmakeup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.aaronnational.com
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000002.960898507.0000000002630000.00000004.00000001.sdmpString found in binary or memory: http://ns.adob1
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.com/mq3/www.searchmakeup.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.comReferer:
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.am0rsexkreto.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.am0rsexkreto.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.am0rsexkreto.com/mq3/www.thehuyertrnes.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.am0rsexkreto.comReferer:
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.live
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.live/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.live/mq3/www.clarksonassistivetech.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.liveReferer:
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.changancloud.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.changancloud.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.changancloud.com/mq3/www.springholdingsbnk.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.changancloud.comReferer:
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.clarksonassistivetech.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.clarksonassistivetech.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.clarksonassistivetech.com/mq3/www.spartanpronos.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.clarksonassistivetech.comReferer:
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.educationgrants.site
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.educationgrants.site/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.educationgrants.siteReferer:
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.hnbxm.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.hnbxm.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.hnbxm.com/mq3/www.educationgrants.site
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.hnbxm.comReferer:
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.lianxiaoshu.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.lianxiaoshu.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.lianxiaoshu.com/mq3/www.sj233.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.lianxiaoshu.comReferer:
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com/mq3/www.changancloud.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.comReferer:
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.sarealodinge.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.sarealodinge.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.sarealodinge.com/mq3/www.lianxiaoshu.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.sarealodinge.comReferer:
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.searchmakeup.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.searchmakeup.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.searchmakeup.com/mq3/www.yoxi.ltd
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.searchmakeup.comReferer:
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.com/mq3/www.am0rsexkreto.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.comReferer:
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.spartanpronos.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.spartanpronos.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.spartanpronos.com/mq3/www.porcber.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.spartanpronos.comReferer:
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.springholdingsbnk.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.springholdingsbnk.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.springholdingsbnk.com/mq3/www.hnbxm.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.springholdingsbnk.comReferer:
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.thehuyertrnes.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.thehuyertrnes.com/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.thehuyertrnes.com/mq3/www.askcopdtreatmentok.live
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.thehuyertrnes.comReferer:
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltd
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltd/mq3/
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltd/mq3/www.sarealodinge.com
          Source: explorer.exe, 00000002.00000003.851300081.0000000009DAC000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltdReferer:
          Source: explorer.exe, 00000002.00000000.570622711.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wscript.exe, 00000003.00000002.952599872.00000000030F8000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=190
          Source: wscript.exe, 00000003.00000002.963959232.0000000005B5F000.00000004.00000001.sdmpString found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=searchmakeup&e=com
          Source: wscript.exe, 00000003.00000002.963959232.0000000005B5F000.00000004.00000001.sdmpString found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=searchmakeup&e=com

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.946677472.0000000005AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.600001330.0000000005B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.951930736.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.600153081.0000000005BB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.960900832.0000000005470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.946959841.0000000005C30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.949904089.0000000003DDA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.596232022.000000000435A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.962183193.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.948565462.0000000000C40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.941661387.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.942884986.000000000457A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.947804600.0000000005EF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.599624971.0000000005940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.959773483.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.927950082.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TGSKU7q5IQ.exe.5940000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.ulhdmvehff-42.exe.5af0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.ulhdmvehff-42.exe.51f0000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.ulhdmvehff-42.exe.5af0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TGSKU7q5IQ.exe.5940000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.ulhdmvehff-42.exe.51f0000.5.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\wscript.exeDropped file: C:\Users\user\AppData\Roaming\N629P6-6\N62logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\wscript.exeDropped file: C:\Users\user\AppData\Roaming\N629P6-6\N62logrf.iniJump to dropped file
          Source: C:\Windows\SysWOW64\wscript.exeDropped file: C:\Users\user\AppData\Roaming\N629P6-6\N62logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000D.00000002.946677472.0000000005AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.946677472.0000000005AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.600001330.0000000005B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.600001330.0000000005B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.951930736.0000000002D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.951930736.0000000002D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.600153081.0000000005BB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.600153081.0000000005BB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.960900832.0000000005470000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.960900832.0000000005470000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.946959841.0000000005C30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.946959841.0000000005C30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.949904089.0000000003DDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.949904089.0000000003DDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.596232022.000000000435A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.596232022.000000000435A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.962183193.00000000056B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.962183193.00000000056B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.948565462.0000000000C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.948565462.0000000000C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.941661387.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.941661387.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.942884986.000000000457A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.942884986.000000000457A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.947804600.0000000005EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.947804600.0000000005EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.599624971.0000000005940000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.599624971.0000000005940000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.959773483.00000000051F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.959773483.00000000051F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.927950082.00000000003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.927950082.00000000003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TGSKU7q5IQ.exe.5940000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TGSKU7q5IQ.exe.5940000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 13.2.ulhdmvehff-42.exe.5af0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 13.2.ulhdmvehff-42.exe.5af0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.ulhdmvehff-42.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.ulhdmvehff-42.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 13.2.ulhdmvehff-42.exe.5af0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 13.2.ulhdmvehff-42.exe.5af0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TGSKU7q5IQ.exe.5940000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TGSKU7q5IQ.exe.5940000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.ulhdmvehff-42.exe.51f0000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.ulhdmvehff-42.exe.51f0000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A610 NtAdjustPrivilegesToken,LdrInitializeThunk,0_2_0633A610
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A6A0 NtCreateSection,LdrInitializeThunk,0_2_0633A6A0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A720 NtResumeThread,LdrInitializeThunk,0_2_0633A720
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A700 NtProtectVirtualMemory,LdrInitializeThunk,0_2_0633A700
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A750 NtCreateFile,LdrInitializeThunk,0_2_0633A750
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A410 NtQueryInformationToken,LdrInitializeThunk,0_2_0633A410
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A4A0 NtUnmapViewOfSection,LdrInitializeThunk,0_2_0633A4A0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A480 NtMapViewOfSection,LdrInitializeThunk,0_2_0633A480
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A560 NtQuerySystemInformation,LdrInitializeThunk,0_2_0633A560
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A540 NtDelayExecution,LdrInitializeThunk,0_2_0633A540
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A5F0 NtReadVirtualMemory,LdrInitializeThunk,0_2_0633A5F0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A240 NtReadFile,LdrInitializeThunk,0_2_0633A240
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A2D0 NtClose,LdrInitializeThunk,0_2_0633A2D0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A360 NtAllocateVirtualMemory,LdrInitializeThunk,0_2_0633A360
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A3E0 NtFreeVirtualMemory,LdrInitializeThunk,0_2_0633A3E0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A650 NtQueueApcThread,0_2_0633A650
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A6D0 NtCreateProcessEx,0_2_0633A6D0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A710 NtQuerySection,0_2_0633A710
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A780 NtOpenDirectoryObject,0_2_0633A780
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A430 NtQueryVirtualMemory,0_2_0633A430
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633B410 NtOpenProcessToken,0_2_0633B410
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633B470 NtOpenThread,0_2_0633B470
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A470 NtSetInformationFile,0_2_0633A470
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A460 NtOpenProcess,0_2_0633A460
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633ACE0 NtCreateMutant,0_2_0633ACE0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A520 NtEnumerateKey,0_2_0633A520
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633BD40 NtSuspendThread,0_2_0633BD40
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A5A0 NtWriteVirtualMemory,0_2_0633A5A0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633BA30 NtSetContextThread,0_2_0633BA30
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A220 NtWaitForSingleObject,0_2_0633A220
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A260 NtWriteFile,0_2_0633A260
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A2F0 NtQueryInformationFile,0_2_0633A2F0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A310 NtEnumerateValueKey,0_2_0633A310
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A370 NtQueryInformationProcess,0_2_0633A370
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A350 NtQueryValueKey,0_2_0633A350
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A3D0 NtCreateKey,0_2_0633A3D0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633A800 NtSetValueKey,0_2_0633A800
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0633B0B0 NtGetContextThread,0_2_0633B0B0
          Source: C:\Windows\explorer.exeCode function: 2_2_04B5E852 NtDeleteFile,NtCreateFile,NtReadFile,NtWriteFile,NtClose,2_2_04B5E852
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A560 NtQuerySystemInformation,LdrInitializeThunk,3_2_0522A560
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A540 NtDelayExecution,LdrInitializeThunk,3_2_0522A540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A410 NtQueryInformationToken,LdrInitializeThunk,3_2_0522A410
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A470 NtSetInformationFile,LdrInitializeThunk,3_2_0522A470
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A480 NtMapViewOfSection,LdrInitializeThunk,3_2_0522A480
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522ACE0 NtCreateMutant,LdrInitializeThunk,3_2_0522ACE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A750 NtCreateFile,LdrInitializeThunk,3_2_0522A750
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A610 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_0522A610
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A6A0 NtCreateSection,LdrInitializeThunk,3_2_0522A6A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A800 NtSetValueKey,LdrInitializeThunk,3_2_0522A800
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A310 NtEnumerateValueKey,LdrInitializeThunk,3_2_0522A310
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A360 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_0522A360
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A350 NtQueryValueKey,LdrInitializeThunk,3_2_0522A350
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A3E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_0522A3E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A3D0 NtCreateKey,LdrInitializeThunk,3_2_0522A3D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A260 NtWriteFile,LdrInitializeThunk,3_2_0522A260
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A240 NtReadFile,LdrInitializeThunk,3_2_0522A240
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A2D0 NtClose,LdrInitializeThunk,3_2_0522A2D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A520 NtEnumerateKey,3_2_0522A520
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522BD40 NtSuspendThread,3_2_0522BD40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A5A0 NtWriteVirtualMemory,3_2_0522A5A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A5F0 NtReadVirtualMemory,3_2_0522A5F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A430 NtQueryVirtualMemory,3_2_0522A430
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522B410 NtOpenProcessToken,3_2_0522B410
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A460 NtOpenProcess,3_2_0522A460
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522B470 NtOpenThread,3_2_0522B470
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A4A0 NtUnmapViewOfSection,3_2_0522A4A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A720 NtResumeThread,3_2_0522A720
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A700 NtProtectVirtualMemory,3_2_0522A700
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A710 NtQuerySection,3_2_0522A710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A780 NtOpenDirectoryObject,3_2_0522A780
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A650 NtQueueApcThread,3_2_0522A650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A6D0 NtCreateProcessEx,3_2_0522A6D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522B0B0 NtGetContextThread,3_2_0522B0B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A370 NtQueryInformationProcess,3_2_0522A370
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A220 NtWaitForSingleObject,3_2_0522A220
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522BA30 NtSetContextThread,3_2_0522BA30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0522A2F0 NtQueryInformationFile,3_2_0522A2F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_02D89A10 NtAllocateVirtualMemory,3_2_02D89A10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_02D898E0 NtReadFile,3_2_02D898E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_02D89830 NtCreateFile,3_2_02D89830
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_02D89960 NtClose,3_2_02D89960
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_02D898DA NtReadFile,3_2_02D898DA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_02D8982A NtCreateFile,3_2_02D8982A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_02D8995B NtClose,3_2_02D8995B
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A610 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_0651A610
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A6A0 NtCreateSection,LdrInitializeThunk,13_2_0651A6A0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A750 NtCreateFile,LdrInitializeThunk,13_2_0651A750
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A700 NtProtectVirtualMemory,LdrInitializeThunk,13_2_0651A700
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A720 NtResumeThread,LdrInitializeThunk,13_2_0651A720
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A410 NtQueryInformationToken,LdrInitializeThunk,13_2_0651A410
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A480 NtMapViewOfSection,LdrInitializeThunk,13_2_0651A480
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A4A0 NtUnmapViewOfSection,LdrInitializeThunk,13_2_0651A4A0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A540 NtDelayExecution,LdrInitializeThunk,13_2_0651A540
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A560 NtQuerySystemInformation,LdrInitializeThunk,13_2_0651A560
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A5F0 NtReadVirtualMemory,LdrInitializeThunk,13_2_0651A5F0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A240 NtReadFile,LdrInitializeThunk,13_2_0651A240
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A2D0 NtClose,LdrInitializeThunk,13_2_0651A2D0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A360 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_0651A360
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A3E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_0651A3E0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A650 NtQueueApcThread,13_2_0651A650
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A6D0 NtCreateProcessEx,13_2_0651A6D0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A710 NtQuerySection,13_2_0651A710
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A780 NtOpenDirectoryObject,13_2_0651A780
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651B470 NtOpenThread,13_2_0651B470
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A470 NtSetInformationFile,13_2_0651A470
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A460 NtOpenProcess,13_2_0651A460
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651B410 NtOpenProcessToken,13_2_0651B410
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A430 NtQueryVirtualMemory,13_2_0651A430
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651ACE0 NtCreateMutant,13_2_0651ACE0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651BD40 NtSuspendThread,13_2_0651BD40
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A520 NtEnumerateKey,13_2_0651A520
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A5A0 NtWriteVirtualMemory,13_2_0651A5A0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A260 NtWriteFile,13_2_0651A260
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651BA30 NtSetContextThread,13_2_0651BA30
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A220 NtWaitForSingleObject,13_2_0651A220
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A2F0 NtQueryInformationFile,13_2_0651A2F0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A350 NtQueryValueKey,13_2_0651A350
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A370 NtQueryInformationProcess,13_2_0651A370
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A310 NtEnumerateValueKey,13_2_0651A310
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A3D0 NtCreateKey,13_2_0651A3D0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651A800 NtSetValueKey,13_2_0651A800
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0651B0B0 NtGetContextThread,13_2_0651B0B0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_05209960 NtClose,14_2_05209960
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_05209830 NtCreateFile,14_2_05209830
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_052098E0 NtReadFile,14_2_052098E0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_05209A10 NtAllocateVirtualMemory,14_2_05209A10
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_0520995B NtClose,14_2_0520995B
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_0520982A NtCreateFile,14_2_0520982A
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_052098DA NtReadFile,14_2_052098DA
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_00ED5AEC0_2_00ED5AEC
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_00ED94720_2_00ED9472
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_00ED9E0D0_2_00ED9E0D
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063266110_2_06326611
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_06325E700_2_06325E70
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_06324E610_2_06324E61
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063BCE660_2_063BCE66
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063176400_2_06317640
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063B3E960_2_063B3E96
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063C26F80_2_063C26F8
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063C17460_2_063C1746
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063157900_2_06315790
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063B27820_2_063B2782
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063C1FCE0_2_063C1FCE
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063AF42B0_2_063AF42B
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063114100_2_06311410
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0630740C0_2_0630740C
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0632547E0_2_0632547E
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063C1C9F0_2_063C1C9F
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063C2C9A0_2_063C2C9A
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063B34900_2_063B3490
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063B44EF0_2_063B44EF
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063BDCC50_2_063BDCC5
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063115300_2_06311530
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0639C53F0_2_0639C53F
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063B1D1B0_2_063B1D1B
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063C25190_2_063C2519
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_062F0D400_2_062F0D40
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0639E58A0_2_0639E58A
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063BE5810_2_063BE581
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063A1DE30_2_063A1DE3
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063AFDDB0_2_063AFDDB
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063BD5D20_2_063BD5D2
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0632523D0_2_0632523D
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063CE2140_2_063CE214
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063B0A020_2_063B0A02
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_06324A5B0_2_06324A5B
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063142B00_2_063142B0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063C1A990_2_063C1A99
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063C22DD0_2_063C22DD
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0631FB400_2_0631FB40
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_06324B960_2_06324B96
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_062FEBE00_2_062FEBE0
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063263C20_2_063263C2
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0632E0200_2_0632E020
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063200210_2_06320021
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063298100_2_06329810
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063BD0160_2_063BD016
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063210700_2_06321070
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063A18B60_2_063A18B6
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0630A0800_2_0630A080
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063C28E80_2_063C28E8
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063248CB0_2_063248CB
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063271100_2_06327110
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063499060_2_06349906
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_0632594B0_2_0632594B
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063CD9BE0_2_063CD9BE
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063261800_2_06326180
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063C19E20_2_063C19E2
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_063B61DF0_2_063B61DF
          Source: C:\Users\user\Desktop\TGSKU7q5IQ.exeCode function: 0_2_00ED56880_2_00ED5688
          Source: C:\Windows\explorer.exeCode function: 2_2_04B550722_2_04B55072
          Source: C:\Windows\explorer.exeCode function: 2_2_04B5E8522_2_04B5E852
          Source: C:\Windows\explorer.exeCode function: 2_2_04B56CF22_2_04B56CF2
          Source: C:\Windows\explorer.exeCode function: 2_2_04B550692_2_04B55069
          Source: C:\Windows\explorer.exeCode function: 2_2_04B61AAC2_2_04B61AAC
          Source: C:\Windows\explorer.exeCode function: 2_2_04B59AF22_2_04B59AF2
          Source: C:\Windows\explorer.exeCode function: 2_2_04B59AEF2_2_04B59AEF
          Source: C:\Windows\explorer.exeCode function: 2_2_04B5D6792_2_04B5D679
          Source: C:\Windows\explorer.exeCode function: 2_2_04B5BF522_2_04B5BF52
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052015303_2_05201530
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0528C53F3_2_0528C53F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052A1D1B3_2_052A1D1B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052B25193_2_052B2519
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_051E0D403_2_051E0D40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052AE5813_2_052AE581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_05291DE33_2_05291DE3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0529FDDB3_2_0529FDDB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052AD5D23_2_052AD5D2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0529F42B3_2_0529F42B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_051F740C3_2_051F740C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052014103_2_05201410
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0521547E3_2_0521547E
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052B1C9F3_2_052B1C9F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052A34903_2_052A3490
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052A44EF3_2_052A44EF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052B17463_2_052B1746
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052A27823_2_052A2782
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052057903_2_05205790
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052B1FCE3_2_052B1FCE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052166113_2_05216611
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_05214E613_2_05214E61
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052ACE663_2_052ACE66
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_05215E703_2_05215E70
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052076403_2_05207640
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052A3E963_2_052A3E96
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052B26F83_2_052B26F8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052171103_2_05217110
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0521594B3_2_0521594B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052BD9BE3_2_052BD9BE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052161803_2_05216180
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052B19E23_2_052B19E2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052100213_2_05210021
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0521E0203_2_0521E020
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052AD0163_2_052AD016
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052110703_2_05211070
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_051FA0803_2_051FA080
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052918B63_2_052918B6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052B28E83_2_052B28E8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052148CB3_2_052148CB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0520FB403_2_0520FB40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_05214B963_2_05214B96
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052163C23_2_052163C2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_051EEBE03_2_051EEBE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_0521523D3_2_0521523D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052A0A023_2_052A0A02
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052BE2143_2_052BE214
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_05214A5B3_2_05214A5B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052042B03_2_052042B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052B1A993_2_052B1A99
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_052B22DD3_2_052B22DD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_02D8D9C83_2_02D8D9C8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_02D72FB03_2_02D72FB0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_00F25AEC13_2_00F25AEC
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_00F2EEDA13_2_00F2EEDA
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_00F2F9B213_2_00F2F9B2
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_00F2947213_2_00F29472
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_00F29E0D13_2_00F29E0D
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_064F764013_2_064F7640
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_06505E7013_2_06505E70
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_06504E6113_2_06504E61
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0659CE6613_2_0659CE66
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0650661113_2_06506611
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065A26F813_2_065A26F8
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_06593E9613_2_06593E96
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065A174613_2_065A1746
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065A1FCE13_2_065A1FCE
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0659278213_2_06592782
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_064F579013_2_064F5790
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0650547E13_2_0650547E
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_064E740C13_2_064E740C
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_064F141013_2_064F1410
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0658F42B13_2_0658F42B
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0659DCC513_2_0659DCC5
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065944EF13_2_065944EF
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065A2C9A13_2_065A2C9A
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065A1C9F13_2_065A1C9F
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0659349013_2_06593490
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_064D0D4013_2_064D0D40
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_06591D1B13_2_06591D1B
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065A251913_2_065A2519
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0657C53F13_2_0657C53F
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_064F153013_2_064F1530
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0658FDDB13_2_0658FDDB
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0659D5D213_2_0659D5D2
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_06581DE313_2_06581DE3
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0659E58113_2_0659E581
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0657E58A13_2_0657E58A
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_06504A5B13_2_06504A5B
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065AE21413_2_065AE214
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_06590A0213_2_06590A02
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0650523D13_2_0650523D
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065A22DD13_2_065A22DD
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065A1A9913_2_065A1A99
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_064F42B013_2_064F42B0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_064FFB4013_2_064FFB40
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065063C213_2_065063C2
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_064DEBE013_2_064DEBE0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_06504B9613_2_06504B96
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0650107013_2_06501070
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0650981013_2_06509810
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0659D01613_2_0659D016
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0650E02013_2_0650E020
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0650002113_2_06500021
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065048CB13_2_065048CB
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065A28E813_2_065A28E8
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_064EA08013_2_064EA080
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065818B613_2_065818B6
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0650594B13_2_0650594B
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0650711013_2_06507110
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0652990613_2_06529906
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065961DF13_2_065961DF
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065A19E213_2_065A19E2
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0650618013_2_06506180
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_065AD9BE13_2_065AD9BE
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0328B16013_2_0328B160
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0328C62013_2_0328C620
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0328B4F013_2_0328B4F0
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0328C93213_2_0328C932
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0328C6C113_2_0328C6C1
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0328B55713_2_0328B557
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_0328B58D13_2_0328B58D
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_00F23E7713_2_00F23E77
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 13_2_00F2568813_2_00F25688
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_008BF9B214_2_008BF9B2
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_008BEEDA14_2_008BEEDA
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_008B5AEC14_2_008B5AEC
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_008B9E0D14_2_008B9E0D
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_008B947214_2_008B9472
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_051F2D9014_2_051F2D90
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_051F2D8914_2_051F2D89
          Source: C:\Program Files (x86)\Uxxdph\ulhdmvehff-42.exeCode function: 14_2_051F9F5B