Loading ...

Play interactive tourEdit tour

Analysis Report LWlcpDjYIQ.exe

Overview

General Information

Sample Name:LWlcpDjYIQ.exe
Analysis ID:383953
MD5:91523f8d438585534d9466432cc4665d
SHA1:e34b69f0ded056eca7dd43b8f5be2edf7198c211
SHA256:b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • LWlcpDjYIQ.exe (PID: 5524 cmdline: 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' MD5: 91523F8D438585534D9466432CC4665D)
    • LWlcpDjYIQ.exe (PID: 3664 cmdline: 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' MD5: 91523F8D438585534D9466432CC4665D)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5796 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 6136 cmdline: /c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.simplyhealrhcareplans.com/sqra/"], "decoy": ["edwardjonescredticard.com", "muzhskoy-eskort.site", "home-sou.com", "entohops.com", "orchidandiris.com", "kellnetworks.com", "shopthen2.site", "jimmysga.com", "carobbella.com", "fenuadiscovery.com", "huongdandidong.com", "greenesgoodies.com", "socialunified.com", "azure-vs-google.cloud", "bardototonho.com", "anadelalastra.art", "godseyepiece.com", "18082020.com", "3559044.com", "hvacservicecoldwater.com", "inlandempiresublease.com", "cenconsulting.com", "clavunica.com", "zx765.com", "ndrossignol.com", "lumpkinforless.com", "merrypopinnannies.com", "herbalbooze.com", "opusleaf.com", "karizcustomizeme.com", "miss-windy.com", "esl-materials.com", "flcpyl.com", "metort.com", "ggapp.run", "josiahtreatenglishportfolio.com", "charmdalat.com", "kaashir.com", "magenx2.info", "mysfmp.com", "dailyhyundaihanoi.net", "camperlifeclub.com", "familymedicalurgentcare.com", "unityprawn.com", "crosswhiteconsulting.com", "luxel01.com", "runwithbe.com", "marfrigs.com", "lewishackney.com", "legalhelp.black", "thedorkweb.com", "carritogastronomico.com", "sniffai.com", "myboardinghome.com", "szameitat.net", "wegawk.com", "ecomcourse.online", "heritagelcc.com", "launchtutor.com", "bricksli.com", "911salesrescue.com", "shangbinjieneng.com", "seymor-law.com", "decoviewer.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        2.2.LWlcpDjYIQ.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.LWlcpDjYIQ.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.lewishackney.com/sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJVAvira URL Cloud: Label: malware
          Source: http://www.ecomcourse.online/sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJVAvira URL Cloud: Label: malware
          Source: http://www.muzhskoy-eskort.site/sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJVAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.simplyhealrhcareplans.com/sqra/"], "decoy": ["edwardjonescredticard.com", "muzhskoy-eskort.site", "home-sou.com", "entohops.com", "orchidandiris.com", "kellnetworks.com", "shopthen2.site", "jimmysga.com", "carobbella.com", "fenuadiscovery.com", "huongdandidong.com", "greenesgoodies.com", "socialunified.com", "azure-vs-google.cloud", "bardototonho.com", "anadelalastra.art", "godseyepiece.com", "18082020.com", "3559044.com", "hvacservicecoldwater.com", "inlandempiresublease.com", "cenconsulting.com", "clavunica.com", "zx765.com", "ndrossignol.com", "lumpkinforless.com", "merrypopinnannies.com", "herbalbooze.com", "opusleaf.com", "karizcustomizeme.com", "miss-windy.com", "esl-materials.com", "flcpyl.com", "metort.com", "ggapp.run", "josiahtreatenglishportfolio.com", "charmdalat.com", "kaashir.com", "magenx2.info", "mysfmp.com", "dailyhyundaihanoi.net", "camperlifeclub.com", "familymedicalurgentcare.com", "unityprawn.com", "crosswhiteconsulting.com", "luxel01.com", "runwithbe.com", "marfrigs.com", "lewishackney.com", "legalhelp.black", "thedorkweb.com", "carritogastronomico.com", "sniffai.com", "myboardinghome.com", "szameitat.net", "wegawk.com", "ecomcourse.online", "heritagelcc.com", "launchtutor.com", "bricksli.com", "911salesrescue.com", "shangbinjieneng.com", "seymor-law.com", "decoviewer.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dllReversingLabs: Detection: 24%
          Multi AV Scanner detection for submitted fileShow sources
          Source: LWlcpDjYIQ.exeReversingLabs: Detection: 65%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
          Source: 7.2.cmstp.exe.45c708.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.cmstp.exe.4b87960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: LWlcpDjYIQ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmstp.pdbGCTL source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: LWlcpDjYIQ.exe, 00000000.00000003.210847086.000000001ECE0000.00000004.00000001.sdmp, LWlcpDjYIQ.exe, 00000002.00000002.256684216.0000000000B1F000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: LWlcpDjYIQ.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_0040531D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405CB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 4x nop then pop esi2_2_0041581E
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 4x nop then pop edi2_2_004162A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi7_2_028562A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop esi7_2_0285581E

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49722 -> 118.27.122.19:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49722 -> 118.27.122.19:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49722 -> 118.27.122.19:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 108.186.210.142:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 108.186.210.142:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 108.186.210.142:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 5.101.152.161:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 5.101.152.161:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 5.101.152.161:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 208.91.197.27:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 208.91.197.27:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 208.91.197.27:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.simplyhealrhcareplans.com/sqra/
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.luxel01.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXy HTTP/1.1Host: www.orchidandiris.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.anadelalastra.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.ecomcourse.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfi HTTP/1.1Host: www.huongdandidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.muzhskoy-eskort.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK HTTP/1.1Host: www.simplyhealrhcareplans.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhob HTTP/1.1Host: www.socialunified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.lewishackney.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9 HTTP/1.1Host: www.shopthen2.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: C:\Windows\explorer.exeCode function: 5_2_06416302 getaddrinfo,setsockopt,recv,5_2_06416302
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.luxel01.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXy HTTP/1.1Host: www.orchidandiris.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.anadelalastra.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.ecomcourse.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfi HTTP/1.1Host: www.huongdandidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.muzhskoy-eskort.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK HTTP/1.1Host: www.simplyhealrhcareplans.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhob HTTP/1.1Host: www.socialunified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.lewishackney.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9 HTTP/1.1Host: www.shopthen2.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.karizcustomizeme.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.13.4Date: Thu, 08 Apr 2021 11:02:14 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 285Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 72 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 68 6f 70 74 68 65 6e 32 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqra/ was not found on this server.</p><hr><address>Apache/2.4.10 (Unix) Server at www.shopthen2.site Port 80</address></body></html>
          Source: explorer.exe, 00000005.00000000.240958021.000000000F709000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00404EBC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EBC
          Source: LWlcpDjYIQ.exe, 00000000.00000002.220096711.00000000007CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004181B0 NtCreateFile,2_2_004181B0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00418260 NtReadFile,2_2_00418260
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004182E0 NtClose,2_2_004182E0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,2_2_00418390
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00418202 NtReadFile,2_2_00418202
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041838A NtAllocateVirtualMemory,2_2_0041838A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A698F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00A698F0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00A69860
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69840 NtDelayExecution,LdrInitializeThunk,2_2_00A69840
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A699A0 NtCreateSection,LdrInitializeThunk,2_2_00A699A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00A69910
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A20 NtResumeThread,LdrInitializeThunk,2_2_00A69A20
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00A69A00
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A50 NtCreateFile,LdrInitializeThunk,2_2_00A69A50
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A695D0 NtClose,LdrInitializeThunk,2_2_00A695D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69540 NtReadFile,LdrInitializeThunk,2_2_00A69540
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A696E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00A696E0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00A69660
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A697A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00A697A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69780 NtMapViewOfSection,LdrInitializeThunk,2_2_00A69780
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69FE0 NtCreateMutant,LdrInitializeThunk,2_2_00A69FE0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69710 NtQueryInformationToken,LdrInitializeThunk,2_2_00A69710
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A698A0 NtWriteVirtualMemory,2_2_00A698A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69820 NtEnumerateKey,2_2_00A69820
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6B040 NtSuspendThread,2_2_00A6B040
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A699D0 NtCreateProcessEx,2_2_00A699D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69950 NtQueueApcThread,2_2_00A69950
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A80 NtOpenDirectoryObject,2_2_00A69A80
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A10 NtQuerySection,2_2_00A69A10
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6A3B0 NtGetContextThread,2_2_00A6A3B0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69B00 NtSetValueKey,2_2_00A69B00
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A695F0 NtQueryInformationFile,2_2_00A695F0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69520 NtWaitForSingleObject,2_2_00A69520
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6AD30 NtSetContextThread,2_2_00A6AD30
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69560 NtWriteFile,2_2_00A69560
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A696D0 NtCreateKey,2_2_00A696D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69610 NtEnumerateValueKey,2_2_00A69610
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69670 NtQueryInformationProcess,2_2_00A69670
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69650 NtQueryValueKey,2_2_00A69650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_046B9860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9840 NtDelayExecution,LdrInitializeThunk,7_2_046B9840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9540 NtReadFile,LdrInitializeThunk,7_2_046B9540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_046B9910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B95D0 NtClose,LdrInitializeThunk,7_2_046B95D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B99A0 NtCreateSection,LdrInitializeThunk,7_2_046B99A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_046B9660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A50 NtCreateFile,LdrInitializeThunk,7_2_046B9A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9650 NtQueryValueKey,LdrInitializeThunk,7_2_046B9650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_046B96E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B96D0 NtCreateKey,LdrInitializeThunk,7_2_046B96D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9710 NtQueryInformationToken,LdrInitializeThunk,7_2_046B9710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9FE0 NtCreateMutant,LdrInitializeThunk,7_2_046B9FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9780 NtMapViewOfSection,LdrInitializeThunk,7_2_046B9780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BB040 NtSuspendThread,7_2_046BB040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9820 NtEnumerateKey,7_2_046B9820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B98F0 NtReadVirtualMemory,7_2_046B98F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B98A0 NtWriteVirtualMemory,7_2_046B98A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9560 NtWriteFile,7_2_046B9560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9950 NtQueueApcThread,7_2_046B9950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9520 NtWaitForSingleObject,7_2_046B9520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BAD30 NtSetContextThread,7_2_046BAD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B95F0 NtQueryInformationFile,7_2_046B95F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B99D0 NtCreateProcessEx,7_2_046B99D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9670 NtQueryInformationProcess,7_2_046B9670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A20 NtResumeThread,7_2_046B9A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A00 NtProtectVirtualMemory,7_2_046B9A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A10 NtQuerySection,7_2_046B9A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9610 NtEnumerateValueKey,7_2_046B9610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A80 NtOpenDirectoryObject,7_2_046B9A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9760 NtOpenProcess,7_2_046B9760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9770 NtSetInformationFile,7_2_046B9770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BA770 NtOpenThread,7_2_046BA770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9730 NtQueryVirtualMemory,7_2_046B9730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9B00 NtSetValueKey,7_2_046B9B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BA710 NtOpenProcessToken,7_2_046BA710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B97A0 NtUnmapViewOfSection,7_2_046B97A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BA3B0 NtGetContextThread,7_2_046BA3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_028582E0 NtClose,7_2_028582E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02858260 NtReadFile,7_2_02858260
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02858390 NtAllocateVirtualMemory,7_2_02858390
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_028581B0 NtCreateFile,7_2_028581B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02858202 NtReadFile,7_2_02858202
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285838A NtAllocateVirtualMemory,7_2_0285838A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00403166 EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403166
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004046C30_2_004046C3
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004060D90_2_004060D9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004068B00_2_004068B0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004010262_2_00401026
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004012082_2_00401208
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00408C502_2_00408C50
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041C4FE2_2_0041C4FE
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041CC902_2_0041CC90
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B55B2_2_0041B55B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00402D8A2_2_00402D8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041C76C2_2_0041C76C
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B7C92_2_0041B7C9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041BF8A2_2_0041BF8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A02_2_00A520A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF20A82_2_00AF20A8
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B0902_2_00A3B090
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF28EC2_2_00AF28EC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AFE8242_2_00AFE824
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE10022_2_00AE1002
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A441202_2_00A44120
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2F9002_2_00A2F900
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF22AE2_2_00AF22AE
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5EBB02_2_00A5EBB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE03DA2_2_00AE03DA
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEDBD22_2_00AEDBD2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF2B282_2_00AF2B28
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3841F2_2_00A3841F
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AED4662_2_00AED466
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A525812_2_00A52581
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3D5E02_2_00A3D5E0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF25DD2_2_00AF25DD
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A20D202_2_00A20D20
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF2D072_2_00AF2D07
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF1D552_2_00AF1D55
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF2EF72_2_00AF2EF7
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A46E302_2_00A46E30
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AED6162_2_00AED616
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF1FF12_2_00AF1FF1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AFDFCE2_2_00AFDFCE
          Source: C:\Windows\explorer.exeCode function: 5_2_064130625_2_06413062
          Source: C:\Windows\explorer.exeCode function: 5_2_0640E8F95_2_0640E8F9
          Source: C:\Windows\explorer.exeCode function: 5_2_064112FF5_2_064112FF
          Source: C:\Windows\explorer.exeCode function: 5_2_0640F3625_2_0640F362
          Source: C:\Windows\explorer.exeCode function: 5_2_0640E9025_2_0640E902
          Source: C:\Windows\explorer.exeCode function: 5_2_064113025_2_06411302
          Source: C:\Windows\explorer.exeCode function: 5_2_064147C75_2_064147C7
          Source: C:\Windows\explorer.exeCode function: 5_2_064155B25_2_064155B2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473D4667_2_0473D466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047310027_2_04731002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468841F7_2_0468841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047428EC7_2_047428EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A07_2_046A20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047420A87_2_047420A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B0907_2_0468B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04741D557_2_04741D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04670D207_2_04670D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046941207_2_04694120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467F9007_2_0467F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04742D077_2_04742D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468D5E07_2_0468D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047425DD7_2_047425DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A25817_2_046A2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04696E307_2_04696E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04742EF77_2_04742EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047422AE7_2_047422AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04742B287_2_04742B28
          Source: C:\Windows\SysWOW64\cmstp.exe